01-19-2020 03:25 AM - edited 01-19-2020 04:37 AM
Refer to the attached scenario where internet router is connected to ISP using the public IP. A firewall is connected to the internet router using private IP.
We need VPNs to be terminated on the Firewall so its outside interface needs to have a public IP for VPN peer formation. However, configuring the firewall's outside interface as public IP would require another /30 public IP range and the router's internal interface will also be configured using a Public IP. This will cause unnecessary wastage of public IPs since only one (Firewall's outside IP) will be used.
Is there a way to NAT a single public IP on the router which translates to firewall's outside private IP. Just like how a public IP on the firewall is translated to a private web server IP in the network, users from outside use the public IP to access the webserver.
So whenever a VPN is created with a peer, this public IP (located on the router) can be shared however, the VPN will terminate on the firewall's private IP. In this way, only a single public will be used instead of a /30 range.
Please suggest if this is feasible. Is there any other way to deal with this scenario
01-19-2020 04:24 AM - edited 01-19-2020 04:26 AM
Hi,
It is possible and will be working fine. You have two options here, if you can manage to arrange a separate public IP dedicated then you need to configure static 1:1 nat entry at Router. If arranging public IP is not an option, you can still use port forwarding using Router outside Public IP Address. You need to to disable Https on the Router or you can use port 8443 from outside when connecting to VPN. Find below example configs:
Example: when using PAT with outside Router interface IP ( assuming outside interface is g0/2 and you will listen on port 8443 on router outside to avoid conflict )
ip nat inside source static tcp 10.0.0.2 443 interface g0/2 8443
Example: When using 1:1 static NAT if you have spare Public IP available
ip nat inside source static 10.0.0.2 x.x.x.x where x.x.x.x is the public IP you arranged.
01-19-2020 06:02 AM
The solution you shared is traditional NAT for users inside going to the internet using a Public IP. This will not allow the ASA to form a VPN with other VPN peers.
I need to achieve the opposite. VPN peers from the outside access a public IP that is on the router, which is then translated to ASA's outside interface private IP. So the peering information is passed on the ASA.
01-19-2020 08:12 PM
Hi,
Ip nat inside is the appropriate command for you to make your connections coming from outside and translated to you inside ASA private IP Address.
ip nat inside source:
ip nat outside source:
You have to make sure which ports you will be requiring for VPN, For SSLVPN , I mentioned 443, but for IPSEC VPN Peers, you have to add those ports to your portforwarding configuration.
01-19-2020 06:22 AM - edited 01-20-2020 01:04 AM
Hello
However, configuring the firewall's outside interface as public IP would require another /30 public IP range and the router's internal interface will also be configured using a Public IP. This will cause unnecessary wastage of public IPs since only one (Firewall's outside IP) will be used.
If i understand you correctly then it sounds like you could bridge your single public ip address on the wan rtr so the fw can connect to that rtrs lan facing interface.on the single public ip.
Example rtr: running IOS
router
int x/x
no ip address
public facing
bridge-group 1
int xx
lan facing
no ip address
bridge-group 1
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
interface BVI 1
ip address 1.1.1.1 255.255.255.252
Example 2 rtr: running IOS-Xe
int x/x
public facing
no ip address
service instance 1 ethernet
encapsulation untagged
bridge-domain 1
int xx
lan facing
no ip address
service instance 1 ethernet
encapsulation untagged
bridge-domain 1
interface Bdi1
ip address 1.1.1.1 255.255.255.252
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide