Solved: Single Public IP on ASA Firewal

johnlloyd_13 · ‎10-30-2018

hi all,

i just need a quick confirmation. i got a site that will use ASA 5525-X to PAT internal users to internet and establish a site-to-site IPSec VPN to HQ using a single public IP address on the WAN/outside interface.

i usually get a /30 public WAN and /28 or /29 public LAN IPs but this time i just got a WAN IP.

my question, is it possible to use the single public IP for:

- PAT inside users

- build site-to-site IPSec VPN

-for port forwarding for the router behind the FW for remote access (from internet)

also, is my NAT statements/sequence correct? i.e. configure the static/port forwarding first, then the identity/"no NAT" for the internal subnet to VPN to HQ, last would be dynamic NAT/PAT using after-auto keyword.

object network OBJ-RT01 <<< PORT FORWARD TO ROUTER USING WAN/OUTSIDE IP
host 192.168.128.1
nat (inside,outside) static interface service tcp 22 22

object network OBJ-192.168.128.0 <<< "NO NAT" ON INTERNAL SUBNET TOWARDS HQ
subnet 192.168.128.0 255.255.255.0
nat (inside,outside) source static OBJ-192.168.128.0 OBJ-192.168.128.0 destination static OBJ-192.168.128.0 OBJ-192.168.128.0

object network OBJ-192.168.128.0 <<< DYNAMIC NAT/PAT INTERNAL USERS
subnet 192.168.128.0 255.255.255.0
nat (inside,outside) after-auto 1 source dynamic interface

Dennis Mink · ‎10-30-2018

yes strictly speaking this is possible, you can have your outside if (IP address respond to isakmp/ipsec/esp) to establish a tunnel. at the same time do a port forward on for instance 443 to an internal webserver. Then on the out, do an overload for internal to external browsing.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Dennis Mink · ‎10-30-2018

yes strictly speaking this is possible, you can have your outside if (IP address respond to isakmp/ipsec/esp) to establish a tunnel. at the same time do a port forward on for instance 443 to an internal webserver. Then on the out, do an overload for internal to external browsing.

Please remember to rate useful posts, by clicking on the stars below.

johnlloyd_13 · ‎10-30-2018

hi dennis,

thanks! i just made an edit to my question.

could you also confirm my NAT statements and sequence if they're correct?

Dennis Mink · ‎10-30-2018

They Look good to me, please note dont forget to open 80/443 to your internal IP address on the outside IF ingress ACL as well

Please remember to rate useful posts, by clicking on the stars below.

johnlloyd_13 · ‎11-01-2018

hi,

just another quick question, i got a cisco router behind the ASA FW that i need to remote access:

router <> ASA <> internet

i already got SSH enabled on ASA 'outside' and able to SSH remotely, so my questions:

1) can i use telnet/TCP 23 to port forward to the router? or do i nee to use non common TCP ports, i.e. 2323

2) do i configure port forward as tcp 23 23 or tcp 23 2323?

object network OBJ-RT01
host 192.168.0.230 <<< ROUTER WAN IP
nat (inside,outside) static interface service tcp 23 23

object network OBJ-RT01
host 192.168.0.230
nat (inside,outside) static interface service tcp 2323 2323

2) do i need a static/identity NAT for the router's WAN IP (192.168.0.230)?

object network OBJ-192.168.0.230
host 192.168.0.230
nat (inside,outside) static OBJ-192.168.0.230

Dennis Mink · ‎11-02-2018

you can use any port, say 2323 and port forward that to the routers internal IP and tcp port 23. Now, opening it up external;ly is not recommended. so make sure you use strong passwords,

Please remember to rate useful posts, by clicking on the stars below.

gbekmezi-DD · ‎11-02-2018

I’d add you don’t need to change the port the router uses for ssh to 23. You can continue to use 22 on the router for SSH. Create an access list on the ASA to only allow that ssh session from known sources.

gbekmezi-DD · ‎10-30-2018

A cursory look at your config samples look good.