Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
2
Replies

ASA Ipsec Hosted behind FW with Single IP

Plaethos
Level 1
Level 1

‎07-02-2024 04:51 PM

So my youtube-googlefoo has failed me.  I'm looking for some basic help -- and based on that, the issue I'm having, which I don't even know if it's possible....
I have an ASA 5555-x with advanced license; Cable Modem service with single IP; My VPN termination point is sitting in my DMZ.
 
First question out the gate: 
Is it even possible to NAT inside traffic while also serving (to my understanding anyway) 1:1 NAT to VPN headend in the DMZ?
 
I'm sort of newb/intermediate when it comes to this stuff, so I'm hopeful my info share will be clear with my end goal.
 
1.  Cable Modem hosts public IP, nats to a 192.168.0.0 /24 subnet.
 
2.  I have reserved 192.168.0.15 as my Outside Iface.
 
3.  ASA Inside addr is 192.168.250.3 /29 -- L3 connection via PO to 3850 - vlan 250 - 192.168.250.2). (route inside 10.0.0.0 255.0.0.0 192.168.250.2)
LAN is 10.x.x.x/16 - individual SVI's on a 3850
 
4.  I am using a DMZ, Subnet is  172.16.250.0 /29
Static IPs - 172.168.250.1 (gateway/Static on ASA) and 4/5 as Hosts.
 
 
          | [DMZ] 172.16.250.1  -----  [hosts] 172.16.250.4/5
Internet ----- Pu.bl.ic.IP | 192.168.0.1/24  ------ [Outside] 192.168.0.15/24 |
          | [Inside] 192.168.250.3  ----------- [3850] 192.168.250.2 | 10.0.0.0 /16
  
By default I have:
nat (inside,outside) 
nat (dmz,outside)
route outside 0.0.0.0 0.0.0.0 192.168.0.1
route inside 10.0.0.0 255.0.0.0 192.168.250.2
Inspect passthrough traffic.
 
ACL:  Outbound_In in Outside
  permit any 172.16.250.4 ObjectIpsec (udp/500 - udp/4500)
 
 
 
 
So what am I trying to do?
 
I would like to setup a site to site vpn using a 3rd party vendor "remote-outside' to the same 3rd party vendor in my DMZ - or to generalize, 
I'd like to allow ipsec udp/500-4500 traffic to my DMZ Host from anywhere remote-outside.
 
I've read somewhere I need to create a crypto-map to pass the ipsec traffic -- but I don't want to go through the site-to-site wizard unless I have to.
 
What I see now from my VPN "headend" is my traffic to my remote is clean and makes it.  the return traffic no so much.  I end up getting a NoSyn Flag. from  Remote to Headend.
 
Packet Tracer is showing it should work....but it no workie.
 
Thoughts/Links/Suggestions?  I'm all eyes for anyone who can assist.  I feel I'm right there....
 
 

 

 

 

0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎07-03-2024 03:14 PM

can you draw topolgy 
thanks 

MHM

0 Helpful

Plaethos
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2024 12:22 AM - edited ‎07-06-2024 12:47 AM

Apologies for the delay -- here's what the topology looks like (Attached)

On a side note, I did find this link:  https://community.cisco.com/t5/vpn/denied-due-to-nat-reverse-path-failure/td-p/2496573

I've applied it, but haven't had a chance to test this config yet.  Could this be the answer?  Testing with it via Packet Trace, it appears to work -- although, I had this confirmation before...so who knows.  

Attaching my full run as well....i did notice a couple of the IPs I included in my diagram didn't match my run config...but my 10 net space works fine -- tons of nat translations etc.

Can't express how much your help is appreciated.

Preview file
193 KB
Preview file
15 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card