Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
1
Replies

ASA static to indirect subnet / return traffic without default route NAT help

rgnelson
Level 1
Level 1

‎08-13-2012 04:31 PM - edited ‎03-11-2019 04:41 PM

I am having touble with a NAT concept. What I have is a 3rd party software VPN product that basically tunnels encapsulated traffic to/from a server sitting inside the network. Right now this traffic utiluizes a physical interface on the ASA5510, but I need the interface for another project.

What I have is this:

Internet<----->ASA<-->router<-->4507(layer3)

                         |                           |

                         |                           |-Vlan1

                         |                           |

                         |-vlan2(3rdpartyvpn)|

Currently the 3rdpartyvpn server's default gateway is set to the dedicated ASA interface and routes are configured on the server itself for the internal subnets.

What I want is this:

Internet<----->ASA<-->router<-->4507(layer3)

                                                    |

                                                    |-Vlan1

                                                    |

                                                    |-vlan2 (3rdpartyvpn here)

In this senario I'll need to configure the 3rdpartyvpn server's default gateway to be the gateway for the vlan. I know a defualt route on the 4507 would take care of this, but in this case, that isn't an option.

There is a static for the 3rdpartyvpn:

static (3rdpartyvpn,outside) <public> <private> netmask 255.255.255.255

But as expected, the traffic comes in with its real IP source address and without that default route, doesn't return.

What can I do to translate that traffic?

I'm thinking something along the lines of a nat outside, but am having trouble with the mechanics.

I have:

global (outside) 1 interface

global (guest) 1 192.168.2.199-192.168.2.205 netmask 255.255.255.0

global (netmotion) 1 interface

nat (guest) 0 access-list nonat_guest

nat (guest) 1 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (3rdpartyvpn) 1 172.<private> 255.255.255.0

I would appreciate being pointed in the right direction! TIA!

Labels:
0 Helpful
1 Reply 1

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-16-2012 08:58 PM

Hi Bro

You can still maintain the first diagram. To do this, you could utilize the subinterface method for this, as shown below;

Note: Assuming Ethernet 0/2 is used here;

!

interface Ethernet 0/2

no ip address

no nameif

no security-level

!

interface Ethernet 0/2.2

description ### Link to Third Party VPN Server ###

vlan 2

ip address 172.16.1.1 255.255.255.0

nameif 3rdpartyvpn

security-level 10

!

interface Ethernet 0/2.3

description ### RSVD for New Project ###

vlan 3

ip address 172.16.2.1 255.255.255.0

nameif newproject

security-level 10

!

That means the external port of your third party VPN Server and your new project, will share the same physical interface i.e. Ethernet 0/2. If you don't like this approach, then you could share the guest interface instead.

If you refuse to point your default gateway of your third party VPN Server to the L3, then this won’t work. This is because the link between the Router and the Layer 3 isn't in VLAN 2 as well. By the way, why do you have a Router between L3 and the Cisco ASA FW?

I’m assuming you have no more available ports in the FW and Router.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card