Re: ASA, VPN and NAT

paultribe · ‎11-10-2010

Hi

Can anyone tell me if an ASA that has a single public IP address (On the outside interface), is able to support both VPN and Static NAT with Port Numbers configuration at the same time. I seem to remember having issues with this in a lab in the past. It would be even more useful if some one could point me to a configuration example.

Regards

Paul

praprama · ‎11-10-2010

Hi,

It's possible as long as you do not have static mappings for UDP 500, 4500 and any IPSec over TCP port that you might have enabled. I hope i am getting your problem right.

You would basically like to statically map some inside IP address/port combination to the outside interface IP address/port and at the same time have a VPN terminate on the outside interface.

If you could post the exact requirement and a configuration if you have one, i can comment on it.

Regards,

Prapanch

paultribe · ‎11-12-2010

The setup would be like this:

Internet <> ASA <> LAN

1) The ASA would be a simple inside/outside firewall and would need to terminate Remote Access and L2L VPNs on the outside interface.

2) The ASA would NOT have a pool of public IP addresses available on the outside interface.

3) The ASA would need to be able to perfrom static NAT translation from the outside interface to several inside hosts using Static NAT with Port Numbers (Static PAT).

For example:

static (inside,outside) tcp interface 80 10.10.10.10 80 net 255.255.255.255

static (inside,outside) tcp interface 25 10.10.20.10 25 net 255.255.255.255

Paul

praprama · ‎11-12-2010

Hi Paul,

Yes it's possible. The configuration for remote access is going to be the same is regular. Nothing special.

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html

Let me know how it goes!!

Regards,

Prapanch