05-06-2014 04:33 AM - edited 03-11-2019 09:09 PM
Hi,
my network layout is like this:
To reach my webswerver I made a static NAT-rule for DMZ webserver/outside. At this moment it is no more possible to build IPsec-connection from my iPhone to the inside-network.
What can I do?
regards
Jürgen
Solved! Go to Solution.
05-06-2014 03:57 PM
I should be more precise. What I mean is that when configuring your rule and access-list for the web server, we tell it to use only one port and redirect it to something other than 443 (PAT) instead of the entire address (static NAT), which includes all ports.
So for instance, if your web server was listening on port 443, we would instead have incoming requests be on 4443 via the following object NAT and access-list:
object network tswebserver
host 1.1.1.1
description test
nat (dmz,outside) static interface service tcp 443 4443
access-list outside_access_in line 1 extended permit tcp any object tswebserver eq 4443
If you are only serving up http (tcp/80) then you don't need the service bit in the nat rule and replace all the 4443 in the access-list with 80.
05-06-2014 05:07 AM
For SSL VPN to work, the ASA uses tcp/443 on the outside interface.
You'll need to either use a second public IP for your web server NAT or else map it to a port other than 443.
05-06-2014 01:11 PM
Thanks for your answer! My web server nat is mappend to port 80 - I think, because it works. Look at tsw22.i234.me.
When I look at the exempt-rule fpr vpn there is no possibility for port-mapping. See here: ...Attachment
What settings I have to do for VPN-port-mapping?
regards
Jürgen
05-06-2014 03:57 PM
I should be more precise. What I mean is that when configuring your rule and access-list for the web server, we tell it to use only one port and redirect it to something other than 443 (PAT) instead of the entire address (static NAT), which includes all ports.
So for instance, if your web server was listening on port 443, we would instead have incoming requests be on 4443 via the following object NAT and access-list:
object network tswebserver
host 1.1.1.1
description test
nat (dmz,outside) static interface service tcp 443 4443
access-list outside_access_in line 1 extended permit tcp any object tswebserver eq 4443
If you are only serving up http (tcp/80) then you don't need the service bit in the nat rule and replace all the 4443 in the access-list with 80.
05-07-2014 09:18 AM
Thank you very much!
I will test.
Regards
Jürgen
05-08-2014 11:15 AM
It works - thank you again!
Regards
Jürgen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide