topic Re: Internet Setup Help in Network Security

Internet Setup Help

Ali Koussan — Mon, 11 Mar 2019 21:35:23 GMT

Hi All,

I have simple Internet setup(see attached).the ISP provided us with one public IP address only.

The objective is to have the internal users access the Internet directly without proxy.Remote access VPN is also required (using cisco VPN client).

My question is : how can I do the configuration of :

1- The internal user to access the Internet : shall I do the PAT on the router ?

2- Remote access VPN : If I want to do it on the firewall , can I use the only public IP I have on the as the NAT IP of the ASA (for certain VPN ports), and at the same time use this public IP for PAT ?

what are the option of doing this setup?

Thanks

Re: Internet Setup Help

andrew.prince — Sat, 08 Oct 2011 13:22:25 GMT

To answer both of your questions at the same time - place the router behind the firewall and connect the ISP circuit directly to the firewall outside.

Re: Internet Setup Help

Kureli Sankar — Sat, 08 Oct 2011 15:17:17 GMT

1. Yes. You can PAT everyone to the outside interface of the ASA.

2. Once that is done, you can provide static 1-1 NAT for the ASA's outside IP on the router to one routable available IP provided by the ISP.

-Kureli

Re: Internet Setup Help

Ali Koussan — Sat, 08 Oct 2011 16:00:06 GMT

Thanks guys,

Actually putting the router behind the firewall is not an option .

Ok kureli, you mean to do PAT on the AsA to the outside interface (private) IP , then NAT the outside IP of the ASA to the public IP of the router. Great , now what about VPN ? Can we just use the public IP that we have used for ASA outside NAT , for VPN ? I think we have to do port forwarding or some thing ...

What do you think

Sent from Cisco Technical Support iPhone App

Re: Internet Setup Help

andrew.prince — Sat, 08 Oct 2011 16:19:02 GMT

Why is it not an option?

Re: Internet Setup Help

Kureli Sankar — Sat, 08 Oct 2011 16:31:35 GMT

Correct. You don't have to do any port forwaring. If the ASA listens on port 443 then the router will receive the traffic on port 443 for that 1-1 IP it will send that packet right to the ASA.

Just allow the ACL on the router to let 443 packets destined to the ASA's translated address for inbound connections.

-Kureli

Re: Internet Setup Help

Ali Koussan — Sat, 08 Oct 2011 18:07:55 GMT

Hi Andrew , actually the ISP provide the router with configuration , you are right putting the firewall first will solve the issue as we can do the PAT for user Internet access and termination of the VPN directly on the ASA outside.

Anyway , I will suggest that to the customer and see if it is acceptable.

Thanks

Sent from Cisco Technical Support iPhone App

Re: Internet Setup Help

Ali Koussan — Sat, 08 Oct 2011 18:12:14 GMT

Hi kureli,

If this will work as you stated , then the problem is solved .

Have you tried it before? Do you have any sample configuration ? It will be great.

Thanks in advance.

Sent from Cisco Technical Support iPhone App

Re: Internet Setup Help

Kureli Sankar — Sat, 08 Oct 2011 21:21:58 GMT

Yes it will. Many companies have a toplogy similar to yours. This is very common. Don't have any sample though.

-Kureli

Re: Internet Setup Help

Ali Koussan — Sun, 09 Oct 2011 09:02:20 GMT

Hi Kureli ,

I have tried the setup in the LAB , I tested two senarios

Senario 1:

On the router : NAT ASA outside to the Router Public IP , and PAT ASA inside Users subnet to the same public IP of the router.

On the ASA : Only No NAT the inside , no PAT , only VPN remote access

Router config:

interface GigabitEthernet0/0

description to-ISP

ip address 1.1.1.1 255.255.255.0

ip nat outside

interface GigabitEthernet0/1

description to-ASA-Outside

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip route 0.0.0.0 0.0.0.0 1.1.1.2 (1.1.1.2 is a test machine on the outside)

ip route 10.1.0.0 255.255.0.0 172.16.1.2 (172.16.1.2 is ASA outside)

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static 172.16.1.2 interface GigabitEthernet0/0

access-list 1 permit 172.16.0.0 0.0.255.255

ASA Config:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.240 255.255.255.0

object network inside-subnet

subnet 10.1.0.0 255.255.0.0

object network inside-subnet

nat (inside,outside) static 10.1.0.0

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

route inside 10.1.0.0 255.255.0.0 10.1.1.1

----

The setup looks working , also the remote access VPN.But I had to do NAT/PAT on the router not on the ASA .

Senario 2:

On the router : only NAT ASA outside to the Router Public IP

On the ASA : PAT the inside subnet to ASA outside , and VPN remote access config.\

Router Config:

same basic config in senario1 and :

ip nat inside source static 172.16.1.2 interface GigabitEthernet0/0

ASA Config:

same basic config in senario1 and :

object network Inside-Subnet

subnet 10.1.0.0 255.255.0.0

description Inside-Subnet

object network Inside-Subnet

nat (any,outside) dynamic interface

This did not work , and Also the VPN did not work , I may Have basic error somewhere !!.

Do you have any hint !

Thanks

Re: Internet Setup Help

Kureli Sankar — Sun, 09 Oct 2011 13:19:54 GMT

Ali,

Sorry I missed to read this line "ISP provided us with one public IP address only" in your requirement. You cannot do static 1-1 for the ASA to the routers g0/0 address. This is incorrect.

Well, this is still possible but, you would have to static PAT.

1. On the ASA PAT everyone to the outside interface IP (your config looks correct)

2. On the router you can do

ip nat inside source list 120 interface g0/0

access-l 120 deny tcp 172.16.1.2 eq 443 any ---> (so it can take the static PAT)

access-l 120 per ip 172.16.1.2 any

3. ip nat inside source static tcp 172.16.1.2 443 int g0/0 443

If you like to do no "nat-control" on the ASA then all the inside guys the 10.x.x.x guys will look like themselves when they arrive on the router in that case you can do the following on the router.

a. ip nt inside source list 120 int g0/0

access-l 120 per ip 10.1.0.0 0.0.255.255 any

ip nat inside source list 120 int g0/0

b. ip nat inside source static tcp 172.16.1.2 443 int g0/0 443

ip route 10.1.0.0 255.255.0.0 172.16.1.2

I hope it is clear.

-Kureli

Re: Internet Setup Help

Ali Koussan — Mon, 10 Oct 2011 05:34:26 GMT

Thanks Kureli,

I have ASA 8.3 , disabling nat-control is not an option .

I will try the setup again , and let you know ..I appreciate your great help.

Ali

Re: Internet Setup Help

Ali Koussan — Mon, 10 Oct 2011 06:40:21 GMT

Hi Hureli,

Just recap , The customer has no problem not to NAT the local user on the ASA , we can use identity NAT on ASA for them.

Please check the diagram , it shows the setup with the configuration , let me know please how it looks.

Thanks