Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
4
Replies

NAT on ISR 4461 to access inside private IP using a public IP from Outside Network

S.U.H.E.L
Level 1
Level 1

‎01-19-2020 03:25 AM - edited ‎01-19-2020 04:37 AM

Refer to the attached scenario where internet router is connected to ISP using the public IP. A firewall is connected to the internet router using private IP.

 

We need VPNs to be terminated on the Firewall so its outside interface needs to have a public IP for VPN peer formation. However, configuring the firewall's outside interface as public IP would require another /30 public IP range and the router's internal interface will also be configured using a Public IP. This will cause unnecessary wastage of public IPs since only one (Firewall's outside IP) will be used.

 

Is there a way to NAT a single public IP on the router which translates to firewall's outside private IP. Just like how a public IP on the firewall is translated to a private web server IP in the network, users from outside use the public IP to access the webserver.

 

So whenever a VPN is created with a peer, this public IP (located on the router) can be shared however, the VPN will terminate on the firewall's private IP. In this way, only a single public will be used instead of a /30 range.

 

Please suggest if this is feasible. Is there any other way to deal with this scenario

Labels:
Preview file
24 KB
0 Helpful
4 Replies 4

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-19-2020 04:24 AM - edited ‎01-19-2020 04:26 AM

Hi,

 

It is possible and will be working fine. You have two options here, if you can manage to arrange a separate public IP dedicated then you need to configure static 1:1 nat entry at Router. If arranging public IP is not an option, you can still use port forwarding using Router outside Public IP Address. You need to to disable Https on the Router or you can use port 8443 from outside when connecting to VPN. Find below example configs:

 

Example: when using PAT with outside Router interface IP ( assuming outside interface is g0/2 and you will listen on port 8443 on router outside to avoid conflict )

ip nat inside source static tcp 10.0.0.2 443 interface g0/2 8443

 

Example: When using 1:1 static NAT if you have spare Public IP available

ip nat inside source static 10.0.0.2 x.x.x.x where x.x.x.x is the public IP you arranged.

 

0 Helpful

S.U.H.E.L
Level 1
Level 1
In response to Muhammad Awais Khan

‎01-19-2020 06:02 AM

The solution you shared is traditional NAT for users inside going to the internet using a Public IP. This will not allow the ASA to form a VPN with other VPN peers.

 

I need to achieve the opposite. VPN peers from the outside access a public IP that is on the router, which is then translated to ASA's outside interface private IP. So the peering information is passed on the ASA.

0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to S.U.H.E.L

‎01-19-2020 08:12 PM

Hi,

 

Ip nat inside is the appropriate command for you to make your connections coming from outside and translated to you inside ASA private IP Address.

 

ip nat inside source:

  • Translates the source IP address of packets that travel from inside to outside.
  • Translates the destination IP address of packets that travel from outside to inside.

ip nat outside source:

  • Translates the source IP address of packets that travel from outside to inside.
  • Translates the destination IP address of packets that travel from inside to outside.

You have to make sure which ports you will be requiring for VPN, For SSLVPN , I mentioned 443, but for IPSEC VPN Peers, you have to add those ports to your portforwarding configuration.

0 Helpful

paul driver
VIP
VIP

‎01-19-2020 06:22 AM - edited ‎01-20-2020 01:04 AM

Hello

However, configuring the firewall's outside interface as public IP would require another /30 public IP range and the router's internal interface will also be configured using a Public IP. This will cause unnecessary wastage of public IPs since only one (Firewall's outside IP) will be used.

If i understand you correctly then it sounds like you could bridge your single public ip address on the wan rtr so the fw can connect to that rtrs lan facing interface.on the single public ip.

 

Example rtr: running IOS

router

int x/x
no ip address
public facing
bridge-group 1


int xx
lan facing
no ip address
bridge-group 1


bridge irb
bridge 1 protocol ieee
bridge 1 route ip


interface BVI 1
ip address 1.1.1.1 255.255.255.252

 

Example 2 rtr: running IOS-Xe

int x/x
public facing
no ip address
service instance 1 ethernet
encapsulation untagged
bridge-domain 1


int xx
lan facing
no ip address
service instance 1 ethernet
encapsulation untagged
bridge-domain 1

interface Bdi1
ip address 1.1.1.1 255.255.255.252

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card