1. Yes. You can PAT everyone to the outside interface of the ASA.

2. Once that is done, you can provide static 1-1 NAT for the ASA's outside IP on the router to one routable available IP provided by the ISP.

-Kureli

Why is it not an option?

Hi Andrew , actually the ISP provide the router with configuration , you are right putting the firewall first will solve the issue as we can do the PAT for user Internet access and termination of the VPN directly on the ASA outside.

Anyway , I will suggest that to the customer and see if it is acceptable.

Thanks

Sent from Cisco Technical Support iPhone App

Correct. You don't have to do any port forwaring. If the ASA listens on port 443 then the router will receive the traffic on port 443 for that 1-1 IP it will send that packet right to the ASA.

Just allow the ACL on the router to let 443 packets destined to the ASA's translated address for inbound connections.

-Kureli

Hi kureli,

If this will work as you stated , then the problem is solved .

Have you tried it before? Do you have any sample configuration ? It will be great.

Thanks in advance.

Sent from Cisco Technical Support iPhone App

Yes it will. Many companies have a toplogy similar to yours. This is very common. Don't have any sample though.

-Kureli

Hi Kureli ,

I have tried the setup in the LAB , I tested two senarios

Senario 1:

On the router : NAT ASA outside to the Router Public IP , and PAT ASA inside Users subnet to the same public IP of the router.

On the ASA :  Only No NAT the inside , no PAT , only VPN remote access

Router config:

interface GigabitEthernet0/0

description to-ISP

ip address 1.1.1.1 255.255.255.0

ip nat outside

!

interface GigabitEthernet0/1

  description to-ASA-Outside

ip address 172.16.1.1 255.255.255.0

ip nat inside

!

ip route 0.0.0.0 0.0.0.0 1.1.1.2    (1.1.1.2 is a test machine on the outside)

ip route 10.1.0.0 255.255.0.0 172.16.1.2 (172.16.1.2 is ASA outside)

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static 172.16.1.2 interface GigabitEthernet0/0

!

access-list 1 permit 172.16.0.0 0.0.255.255

ASA Config:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.240 255.255.255.0

!

object network inside-subnet

subnet 10.1.0.0 255.255.0.0

!

object network inside-subnet

nat (inside,outside) static 10.1.0.0

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

route inside 10.1.0.0 255.255.0.0 10.1.1.1

----

The setup looks working , also the remote access VPN.But I had to do NAT/PAT on the router not on the ASA .

Senario 2:

On the router : only NAT ASA outside to the Router Public IP

On the ASA :  PAT the inside subnet  to ASA outside , and VPN remote access config.\

Router Config:

same basic config in senario1 and :

ip nat inside source static 172.16.1.2 interface GigabitEthernet0/0

ASA Config:

same basic config in senario1 and :

object network Inside-Subnet

subnet 10.1.0.0 255.255.0.0

description Inside-Subnet

object network Inside-Subnet

nat (any,outside) dynamic interface

This did not work , and Also the VPN did not work , I may Have basic error somewhere !!.

Do you have any hint !

Thanks

Ali,

Sorry I missed to read this line "ISP provided us with one public IP address only" in your requirement. You cannot do static 1-1 for the ASA to the routers g0/0 address. This is incorrect.

Well, this is still possible but, you would have to static PAT.

1. On the ASA PAT everyone to the outside interface IP (your config looks correct)

2. On the router you can do

ip nat inside source list 120 interface g0/0

access-l 120 deny tcp 172.16.1.2 eq 443 any ---> (so it can take the static PAT)

access-l 120 per ip 172.16.1.2 any

3. ip nat inside source static tcp 172.16.1.2 443 int g0/0 443

If you like to do no "nat-control" on the ASA then all the inside guys the 10.x.x.x guys will look like themselves when they arrive on the router in that case you can do the following on the router.

a. ip nt inside source list 120 int g0/0

access-l 120 per ip 10.1.0.0 0.0.255.255 any

ip nat inside source list 120 int g0/0

b. ip nat inside source static tcp 172.16.1.2 443 int g0/0 443

ip route 10.1.0.0 255.255.0.0 172.16.1.2

I hope it is clear.

-Kureli

Thanks Kureli,

I have ASA 8.3 , disabling nat-control is not an option .

I will  try the setup again , and let you know ..I appreciate your great help.

Ali

Hi Hureli,

Just recap , The customer has no problem not to NAT the local user on the ASA , we can use identity NAT on ASA for them.

Please check the diagram , it shows the setup with the configuration , let me know please how it looks.

Thanks