So my youtube-googlefoo has failed me. I'm looking for some basic help -- and based on that, the issue I'm having, which I don't even know if it's possible....
I have an ASA 5555-x with advanced license; Cable Modem service with single IP; My VPN termination point is sitting in my DMZ.
First question out the gate:
Is it even possible to NAT inside traffic while also serving (to my understanding anyway) 1:1 NAT to VPN headend in the DMZ?
I'm sort of newb/intermediate when it comes to this stuff, so I'm hopeful my info share will be clear with my end goal.
1. Cable Modem hosts public IP, nats to a 192.168.0.0 /24 subnet.
2. I have reserved 192.168.0.15 as my Outside Iface.
3. ASA Inside addr is 192.168.250.3 /29 -- L3 connection via PO to 3850 - vlan 250 - 192.168.250.2). (route inside 10.0.0.0 255.0.0.0 192.168.250.2)
LAN is 10.x.x.x/16 - individual SVI's on a 3850
4. I am using a DMZ, Subnet is 172.16.250.0 /29
Static IPs - 172.168.250.1 (gateway/Static on ASA) and 4/5 as Hosts.
| [DMZ] 172.16.250.1 ----- [hosts] 172.16.250.4/5
Internet ----- Pu.bl.ic.IP | 192.168.0.1/24 ------ [Outside] 192.168.0.15/24 |
| [Inside] 192.168.250.3 ----------- [3850] 192.168.250.2 | 10.0.0.0 /16
By default I have:
nat (inside,outside)
nat (dmz,outside)
route outside 0.0.0.0 0.0.0.0 192.168.0.1
route inside 10.0.0.0 255.0.0.0 192.168.250.2
Inspect passthrough traffic.
ACL: Outbound_In in Outside
permit any 172.16.250.4 ObjectIpsec (udp/500 - udp/4500)
So what am I trying to do?
I would like to setup a site to site vpn using a 3rd party vendor "remote-outside' to the same 3rd party vendor in my DMZ - or to generalize,
I'd like to allow ipsec udp/500-4500 traffic to my DMZ Host from anywhere remote-outside.
I've read somewhere I need to create a crypto-map to pass the ipsec traffic -- but I don't want to go through the site-to-site wizard unless I have to.
What I see now from my VPN "headend" is my traffic to my remote is clean and makes it. the return traffic no so much. I end up getting a NoSyn Flag. from Remote to Headend.
Packet Tracer is showing it should work....but it no workie.
Thoughts/Links/Suggestions? I'm all eyes for anyone who can assist. I feel I'm right there....