Can we port forward VPN traffic from an utm to cisco ASA5500.

Anupam Lahoti · ‎08-20-2014

Hello,

One of my friend has a cisco ASA 5500 and he has cisco vpn software installed to connect vpn. he is planning to bring an utm box and wants to keep cisco also.

Right now cisco is configured with a public ip for vpn (ex: 115.254.x.x)

he wants to connect that IP (ex: 115.254.x.x) in utm and do a port forwarding on IP (Ex: 192.168.15.3) Cisco ASA 5500 IP.

Is it possible to do port forwarding from one utm to cisco?

Karsten Iwen · ‎08-20-2014

Yes, that can work. But it depends on the correct configuration of the UTM.

For IPsec VPNs:
Forward UDP/500 and UDP/4500 to the ASA. The UTM-Box is not allowed to interact with IPsec. Disable every form of Pass-Through or VPN-Termination.
For SSL-VPNs:
Forward TCP/443 and UDP/443 to the ASA. Here the UTM should not listen on these HTTPS-ports to provide a management-interface or something like that.

If it doesn't work that way (of course it should) consider switching the order of devices. Keep the ASA as first line of defense directly connected to the internet and use the UTM behind that.

Anupam Lahoti · ‎08-20-2014

Thank you Karsten for a quick reply. I have forwarded the whole IP in the port forwarding option of the utm box. Do I need to create any rule on asa5500? We want the utm box to be at first line and then Cisco which is already configured with VPN. The utm local IP is in range of 172.10.x.x series and we have configured one more port of utm as 192.168.15.1 and from there pulled a cable till Cisco and connected and assigned and IP of 192.168.15.3 to Cisco. Port forwarding rule is 115.254.x.x >> 192.168.15.3 totally forwarded the IP . Let me know if any more information is required. Is it possible? Thanks

Karsten Iwen · ‎08-20-2014

That should work if the UTM doesn't act on his own on the VPN traffic. Locally configured services typically have a higher priority than port-forwarding.

Did you also change the default-route on the ASA to use the UTM (192.168.15.1)?

While connecting you should see the connection-attempt on the ASA and with the capture-command you also should see the packets on the outside interface.

Anupam Lahoti · ‎08-20-2014

No I haven't changed the default route on ASA to use the utm. What do you mean by " locally configured services have higher priority "? I will try to change the default route on ASA to use utm. Thanks

Karsten Iwen · ‎08-20-2014

>No I haven't changed the default route on ASA to use the utm.

That is needed. Without the default-route the ASA can't answer the VPN-connections.

> What do you mean by " locally configured services have higher priority "?

If you configure to forward all IP to a different device and at the same time enable IPsec-VPNs, then typically all traffic with the exception of IPsec is forwarded. That also could be a reason when no IPsec traffic reaches the ASA.

Anupam Lahoti · ‎08-20-2014

I haven't enabled VPN on utm box. VPN is configured on Cisco. Rule on Cisco device is to forward traffic coming on 192.168.15.3 >>> 172.10.0.6 IP I would be great if you can guide me on how to create the connection between both devices from scratch? You can just guide me on Cisco part and let me know what to be done on utm.I would do and let you know the results. Thanks

Karsten Iwen · ‎08-20-2014

You should have something like the following:

interface GigabitEthernet0/1 nameif outside security-level 0 ip address 192.168.15.3 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.15.1

Anupam Lahoti · ‎08-20-2014

I will try it today and let you know the status. Thanks