02-07-2020 12:48 PM - edited 02-07-2020 02:48 PM
What will be asa configuration for VPN
I have 1 pppoe link from ISP, so I want to use ddns IP as Static IP, it's required by organization,
how should I configure asa 5510 , so remote user can access my site pc web cam, over vpn only one user each side by ddns fqdn or IP in browser and I also want to use same internet for my inside LAN users.
02-07-2020 03:24 PM
Hi,
My understanding for your question is that on your outside interface, you will be getting Dynamic IP which will keep changing with time. You can register for DDNS and configure asa to generate update whenever it gets new IP.
To access the camera, one of the good solution will be to configure a SSL Webevpn on your Router outside Interface and from webevpn page, there will be bookmark for your one camera or multple cameras.
Second option is to access the camera directly from outside using DDNS name. Once your Router Internet IP on outside IP associated with DDNS then we can configure portforwarding to allow people from outside to reach your camera on port 443 or 20000 e.g https://asa.exampledomain.com:20000. From security perspective, if your camera supports https and authentication then it will be fine.
Configuration:
For DDNS:
Once you setup account from your preffered partne for DDNS. you need add following to your ASA:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To associate the method ddns-2 with the eth1 interface, enter the following commands:
hostname(DDNS-update-method)# interface eth1
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa.example.com
Option 1: SSL Configuration example from CLI or from ASDM:
https://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119417-config-asa-00.html
with above, once you open your SSLVPN page form outside using ddns or IP, you can browse any accessible Webpages of your LAN like your camera
Option 2:
NAT/Portforwarding:
As mentioned above, you can access your camera without SSL also once your ddns setup is done or if you have static IP, you can access with static IP also:
ASA1(config)# object network CAMERA
ASA1(config-network-object)# host 192.168.3.1
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static interface service tcp 80 20000
or
nat (INSIDE,OUTSIDE) static interface service tcp 80 80
if you use 20000, then you need to access the camera on 2000 e.g https://x.x.x.x:20000
Let me know for any further information.
-- Rate this post helpful/accepted as solution if it helped you out. It will helpful for others also who are seeking solution for similar query
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide