We're setting up a VPN link to a 3rd party provider (a financial clearing broker) that uses a Cisco ASA on the other side in order to exchange trade clearing messages via FIX protocol (a TCP-based protocol for financial transactions).
Our local subnet is 10.1.0.0/22. The relevant external IP for our firewall is 96.1.1.1 on ge-0/0/1. The provider's subnet is 192.168.10.0/24. Their ASA's public address (for example) is 206.1.1.1. We need our server (10.1.0.3) to connect to a server on their end (192.168.10.5) and vice-versa. However, we need our server to be accessible (and outbound traffic to look like it's coming) from 10.172.5.3. Presumably, you would use source-NAT for this.
Our theorized configuration looks like:
[show security ike]
proposal broker-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy broker-phase1-policy {
mode main;
proposals broker-phase1-proposal;
pre-shared-key ascii-text "<SECRET KEY>"; ## SECRET-DATA
}
gateway gw-broker {
ike-policy mordor-ike-phase1-policy;
address 206.1.1.1
local-identity inet 96.1.1.1;
remote-identity inet 206.1.1.1;
external-interface ge-0/0/1.0;
}
[show security ipsec]
proposal broker-ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-128-cbc;
}
policy broker-ipsec-phase2-policy {
perfect-forward-secrecy {
keys group19;
}
proposals broker-ipsec-phase2-proposal;
}
vpn vpn-broker {
bind-interface st0.0;
ike {
gateway gw-broker;
ipsec-policy broker-ipsec-phase2-policy;
}
proxy-identity {
local 10.172.5.0/24;
remote 192.168.10.0/24;
service any;
}
}
[show interfaces]
...
st0 {
unit 0 {
family inet {
address 10.172.5.1/24;
}
}
}
[show security nat]
static {
rule-set vpn-snat {
from zone broker-zone;
rule oms1 {
match {
destination-address 10.172.5.3/32;
}
then {
static-nat {
prefix {
10.1.0.3/32;
}
}
}
}
proxy-arp {
interface st-0.0 {
address {
10.172.5.3/32
}
}
}
Does this configuration in general accomplish what I'm looking for? Is proxy-arp on st-0.0 necessary if I'm doing static-NAT? What address should I be using for the proxy-id? The NATed address or the original one? Anything special you have to do to get this to work with an ASA?