cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


104
Views
0
Helpful
1
Replies
Beginner

Port forward between and Cisco ASA 5525-X and Cisco Meraki MX68W over L2L tunnel

Hi All,

 

I need to create a port forward on our public IP on a Cisco ASA to antoher site which has a Cisco Meraki MX. I need to access a service behind the LAN on the Meraki side but from the public IP of the ASA. There is a vpn tunnel between us and that is fine.

 

I setup many port forwards from the public IP on ASA to internal LAN devices on the LAN side of the ASA successfully but this has got me stumped.

 

I cannot do a port forward simply on the public IP of the Meraki as it's internet is 4G and they block ports and share the public IP with many subscribers I am told.

 

I thought it's simply be a case of the usual

object network

 host the_far_end_device

 nat (inside,outside) static Public_IP service udp port port

 

and the access list to allow

 

access-list outside_in extended permit udp any host the_far_end_device eq port

 

This is what I would normally do for devices on the Lan side of the ASA.

 

This is however a device over the VPN tunnel.

 

I can see traffic coming in but i don't think it goes over the vpn and so fails to connect.

 

What am I missing?

 

Any ideas much appreciated.

 

Cheers

Steve

 

1 REPLY 1
Beginner

Re: Port forward between and Cisco ASA 5525-X and Cisco Meraki MX68W over L2L tunnel

I am not sure about the Meraki Side. But you have create a NAT rule with (outside,outside) For example.

nat (outside,outside) source static any VPN destination static PUB PRI

Explanation:
VPN: This is the IP address from the Encryption Domain for the VPN
PUB: Public IP which you want to be accessible over the Internet.
PRI: Private IP across the VPN which host the Service.

Along with this you need to allow traffic on the same-security-traffic permit intra-interface. with the following command.

same-security-traffic permit intra-interface

The access list will required for outside interface as you normally do with NAT a public server. The above mentioned configuration is just to give you idea. If you need more help, I would request you to provide more details.


HTH
### RATE ALL HELPFUL RESPONSES ###