04-02-2013 07:18 AM - edited 03-04-2019 07:28 PM
Good morning all:
I was hoping this will help me and others when dealing with NATing with port fowarding from a specific IP range on the outside to a inside IP address. Here is what I have now:
Cisco 3640 WAN Router:
interface FastEthernet0/0 description WAN Connection to Shentel ip address X.X.75.202 255.255.252.0 ip nat outsideinterface FastEthernet1/0 description Inside LAN ip address 192.168.1.1 255.255.255.224 ip nat insideinterface FastEthernet2/0 description WLAN ip address 192.168.10.1 255.255.255.252 ip nat insideip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 permit 192.168.0.0 0.0.255.255
-------------------------------------------------------------------------------------------------
At this point everything works as expected. I have recently added an ASA 5505 so that I VPN into my lab from work.
This will also seperate lab equipment from current network. I have configured fa3/0 on the WAN router for the ASA.
interface FastEthernet3/0 description ASA ip address 192.168.4.1 255.255.255.252 ip nat inside
I have configured the basics on the ASA and the ASA can ping 8.8.8.8 on the inside interface connected on eth1/0.
The goal now is to allow a specific subnet from the cloud, lets call it 15.236.10.0 255.255.255.0. This is where Cisco
AnyConnect will initiate the port 443 VPN traffic to my static IP at home X.X.75.202 255.255.252.0 then redirect the15.236.10.0 255.255.255.0 traffic of 443 only to 192.168.4.2 (ASA eth1/0 outside).
So I added two more statements for IP NAT in the WAN router.“ip nat outside source static 15.236.10.0 192.168.4.2” for incoming and
“ip nat inside source static 192.168.4.2 15.236.10.0” for outgoing.
which ofcouurse did not work and ASA did not respond to 443 on either Anyconnect or HTTPS. Nothing showing in
"show ip nat translations" for the incoming traffic from
Should I try the following?
“ip nat outside source static tcp 15.236.10.0 192.168.4.2” and
“ip nat inside source static tcp 192.168.4.2 15.236.10.0”
Maybe I am not understanding what is needed here?
Any help would be great and will also help others on this forum.
Thanks!
04-06-2013 10:43 PM
Hi Justin,
Here is config that help you to do static to internal ASA that will forward TCP 443:
On Router:
ip nat inside source static tcp 192.168.4.2 443 interface f0/0 443
On ASA you will need to enable nat-traversal. And simple ACL to let only specific subnet connect to VPN.
access-list outside-in permit ip 15.236.10.0 0.0.0.255 any
access-list outside-in deny ip any any
access-group outside-in in interface outside
crypto isakmp nat-traversal
Hope it will help.
Best regards,
Abzal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide