cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
1
Replies

IP NAT Foward 443 ASA VPN

Justin Parker
Level 1
Level 1

Good morning all:

I was hoping this will help me and others when dealing with NATing with port fowarding from a specific IP range on the outside to a inside IP address. Here is what I have now:

Cisco 3640 WAN Router:

interface FastEthernet0/0
 description WAN Connection to Shentel
 ip address X.X.75.202 255.255.252.0
 ip nat outside

interface FastEthernet1/0
 description Inside LAN 
 ip address 192.168.1.1 255.255.255.224
 ip nat inside

interface FastEthernet2/0
 description WLAN
 ip address 192.168.10.1 255.255.255.252
 ip nat inside

ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255

-------------------------------------------------------------------------------------------------

At this point everything works as expected. I have recently added an ASA 5505 so that I VPN into my lab from work.
This will also seperate lab equipment from current network. I have configured fa3/0 on the WAN router for the ASA.

interface FastEthernet3/0
 description ASA
 ip address 192.168.4.1 255.255.255.252
 ip nat inside

I have configured the basics on the ASA and the ASA can ping 8.8.8.8 on the inside interface connected on eth1/0.


The goal now is to allow a specific subnet from the cloud, lets call it 15.236.10.0 255.255.255.0. This is where Cisco
AnyConnect will initiate the port 443 VPN traffic to my static IP at home X.X.75.202 255.255.252.0 then redirect the
15.236.10.0 255.255.255.0 traffic of 443 only to 192.168.4.2 (ASA eth1/0 outside). 


So I added two more statements for IP NAT in the WAN router.

“ip nat outside source static 15.236.10.0 192.168.4.2” for incoming and

“ip nat inside source static 192.168.4.2 15.236.10.0” for outgoing.

which ofcouurse did not work and ASA did not respond to 443 on either Anyconnect or HTTPS. Nothing showing in

"show ip nat translations" for the incoming traffic from

Should I try the following?

“ip nat outside source static tcp 15.236.10.0 192.168.4.2” and

“ip nat inside source static tcp 192.168.4.2 15.236.10.0”

Maybe I am not understanding what is needed here?

Any help would be great and will also help others on this forum.

Thanks!






1 Reply 1

Abzal
Level 7
Level 7

Hi Justin,

Here is config that help you to do static to internal ASA that will forward TCP 443:

On Router:

ip nat inside source static tcp 192.168.4.2 443 interface f0/0 443

On ASA you will need to enable nat-traversal. And simple ACL to let only specific subnet connect to VPN.

access-list outside-in permit ip 15.236.10.0 0.0.0.255 any

access-list outside-in deny ip any any

access-group outside-in in interface outside

crypto isakmp nat-traversal

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
Review Cisco Networking for a $25 gift card