ASA Ipsec Hosted behind FW with Single IP

Plaethos — Tue, 02 Jul 2024 23:51:16 GMT

So my youtube-googlefoo has failed me. I'm looking for some basic help -- and based on that, the issue I'm having, which I don't even know if it's possible....

I have an ASA 5555-x with advanced license; Cable Modem service with single IP; My VPN termination point is sitting in my DMZ.

First question out the gate:

Is it even possible to NAT inside traffic while also serving (to my understanding anyway) 1:1 NAT to VPN headend in the DMZ?

I'm sort of newb/intermediate when it comes to this stuff, so I'm hopeful my info share will be clear with my end goal.

1. Cable Modem hosts public IP, nats to a 192.168.0.0 /24 subnet.

2. I have reserved 192.168.0.15 as my Outside Iface.

3. ASA Inside addr is 192.168.250.3 /29 -- L3 connection via PO to 3850 - vlan 250 - 192.168.250.2). (route inside 10.0.0.0 255.0.0.0 192.168.250.2)

LAN is 10.x.x.x/16 - individual SVI's on a 3850

4. I am using a DMZ, Subnet is 172.16.250.0 /29

Static IPs - 172.168.250.1 (gateway/Static on ASA) and 4/5 as Hosts.

| [DMZ] 172.16.250.1 ----- [hosts] 172.16.250.4/5

Internet ----- Pu.bl.ic.IP | 192.168.0.1/24 ------ [Outside] 192.168.0.15/24 |

| [Inside] 192.168.250.3 ----------- [3850] 192.168.250.2 | 10.0.0.0 /16

By default I have:

nat (inside,outside)

nat (dmz,outside)

route outside 0.0.0.0 0.0.0.0 192.168.0.1

route inside 10.0.0.0 255.0.0.0 192.168.250.2

Inspect passthrough traffic.

ACL: Outbound_In in Outside

permit any 172.16.250.4 ObjectIpsec (udp/500 - udp/4500)

So what am I trying to do?

I would like to setup a site to site vpn using a 3rd party vendor "remote-outside' to the same 3rd party vendor in my DMZ - or to generalize,

I'd like to allow ipsec udp/500-4500 traffic to my DMZ Host from anywhere remote-outside.

I've read somewhere I need to create a crypto-map to pass the ipsec traffic -- but I don't want to go through the site-to-site wizard unless I have to.

What I see now from my VPN "headend" is my traffic to my remote is clean and makes it. the return traffic no so much. I end up getting a NoSyn Flag. from Remote to Headend.

Packet Tracer is showing it should work....but it no workie.

Thoughts/Links/Suggestions? I'm all eyes for anyone who can assist. I feel I'm right there....

Re: ASA Ipsec Hosted behind FW with Single IP

MHM Cisco World — Wed, 03 Jul 2024 22:14:39 GMT

can you draw topolgy
thanks

MHM

Re: ASA Ipsec Hosted behind FW with Single IP

Plaethos — Sat, 06 Jul 2024 07:47:36 GMT

Apologies for the delay -- here's what the topology looks like (Attached)

On a side note, I did find this link: https://community.cisco.com/t5/vpn/denied-due-to-nat-reverse-path-failure/td-p/2496573

I've applied it, but haven't had a chance to test this config yet. Could this be the answer? Testing with it via Packet Trace, it appears to work -- although, I had this confirmation before...so who knows.

Attaching my full run as well....i did notice a couple of the IPs I included in my diagram didn't match my run config...but my 10 net space works fine -- tons of nat translations etc.

Can't express how much your help is appreciated.

topic Re: ASA Ipsec Hosted behind FW with Single IP in Network Security

ASA Ipsec Hosted behind FW with Single IP

Re: ASA Ipsec Hosted behind FW with Single IP

Re: ASA Ipsec Hosted behind FW with Single IP