cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
297
Views
0
Helpful
5
Replies
wayne loh
Beginner

Cisco ASA AnyConnect behind another firewall

Hi All,

 

Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this case of the cisco asa interface, should it be outside or inside interface that requires to configure? How about the NAT exempted setup for cisco anyconnect?

 

Many Thanks.

5 REPLIES 5
balaji.bandi
VIP Expert

ASA remote access SSL VPN when the ASA outside interface is behind another ASA firewall that is NAT'd the address. As long as the second firewall is allowing TCP/443 (SSL it should work as expected.

 

Interenet -- ASA (external)----Outside(ASA - remote VPN)

 

IPsec VPN a few more ports are required (udp/500 and 4500 typically).

https://www.petenetlive.com/KB/Article/0001428



BB


*** Rate All Helpful Responses ***

Hi,

 

How about can i configure inside interface as VPN interface access instead because of the current VPN concentrator(other product) using the internal interface.

 

Thanks.

How about the NAT exempted configuration?

@wayne loh You have to terminate the VPN on the interface traffic is coming in on, regardless of it's actual name. Usually it's the outside interface.

 

You only need NAT exemption if you have other NAT rules that might unintentially NAT the traffic. So if you have other NAT rules, then yes you need NAT exemption rules. Provide your configuration if unsure.

 

From your diagram your intention is to use one interface on the ASA and route traffic to the internal network back via the same interface?

 

If you are intending to use SSL-VPN then on the upstream firewall, also permit DTLS (udp/443).

Peter Koltl
Frequent Contributor

TCP/443 and UDP/443 should be opened on external firewall.

Just call the interface outside and do not use any NAT rules.

Content for Community-Ad