Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1781
Views
0
Helpful
5
Replies

VPN appliance behind another ASA Firewall

Go to solution
Bob Bagheri
Level 1
Level 1

‎03-24-2015 12:49 PM

I have a customer that wants to put their VPN/ASA behind the main ASA connected to the Internet.  Both appliances have an inside leg to the internal network, but the VPN ASA connects directly to the Internet ASA.

 

Topology:

Outisde FW:  Internet handoff >> ASA/FW >>DMZ leg to ASA/VPN

VPN ASA: Outside Interface L3 link to DMZ interface of ASA/FW

 

On the outside FW I NAT'd the outside address of the VPN/ASA outside address to an available public IP and I have a rule allowing all IP from the outisde to the VPN outside private IP address.  Inside = 192.168.254.1   Outside = public IP address.

 

On the VPN/ASA, I setup standard ASA SSL Remote Access.

 

When I hit the NAT'd public IP address, nothing happens.  I have ran packet-tracer on the outside FW and everything looks good.


Does anyone have a sample design / config for a similar topology?     Internet >>> ASA/FW >>>>dmz-leg>>>>ASA/VPN

 

Thanks in advance,
Bob

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andre Neethling
Level 4
Level 4

‎03-25-2015 12:47 PM

Can you share your NAT and routing config? Of both ASAs

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Andre Neethling
Level 4
Level 4

‎03-25-2015 12:47 PM

Can you share your NAT and routing config? Of both ASAs

0 Helpful

Go to solution
Bob Bagheri
Level 1
Level 1
In response to Andre Neethling

‎03-26-2015 07:46 PM

Andre, it did turn out to be a NAT issue after all, although I thought I checked that already.


The correct NAT on the outside ASA, where the object vpn-fw-outside is the IP address of the outside interface of the VPN ASA.

object network vpn-fw-outside
        no nat (vpn-dmz,outside) static 209.x.x.x

 

Thanks,
Bob

0 Helpful

Go to solution
michael Helmbo
Level 1
Level 1
In response to Bob Bagheri

‎07-23-2015 05:26 AM

Hi.

We have the same problem at our place. When anyconnect hits the outer firewall it nats fine to the inner firewall that runs the VPN and the inner replies through nat to the client. But then Anyconnect see's the new inner address and tries to send traffic directly to that address which obviously doesn't work as its a rfc1918 address.

Can you explain how you solved our problem. Thanks

0 Helpful

Go to solution
Bob Bagheri
Level 1
Level 1
In response to michael Helmbo

‎07-23-2015 05:50 AM

Ok, so I have VPN/ASA appliance that has an outside subnet 192.168.1.0/30.  The VPN appliance is .1 and the FW is .2.  On the FW, this is an interface called vpn-inside.

I take the 192.168.1.1 and NAT it on the FW to a public address, and a rule that allows VPN traffic from the FW outside to the vpn-inside interface.

The Anyconnect client uses the public address on the outisde FW and traffic is sent to the inside VPN via the firewall rule.

I just logged in and my Anyconnect shows the SERVER address as the public address, not the RFC1918 address.

Configs:

On the FW here is my interface facing the VPN appliance:

interface GigabitEthernet0/3
 description *** Conneciton to VPN Appliance G0/0 ***
 nameif vpn-dmz
 security-level 30
 ip address 192.168.254.3 255.255.255.248 standby 192.168.254.4 

object network vpn-fw-outside
 host 192.168.254.1
 description *** VPN appliance outisde interface ***

object network vpn-fw-outside
 nat (vpn-dmz,outside) static 209.x.x.x

access-list outside_access_in extended permit ip any object vpn-fw-outside 

 

On the VPN appliance, nothing special is needed once you setup the standard Anyconnect Ipsec or SSL server.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.254.1 255.255.255.248 standby 192.168.254.2 


These NAT statement are important:

nat (outside,outside) source static obj-AnyconnectPool obj-AnyconnectPool destination static obj-AnyconnectPool obj-AnyconnectPool
nat (inside,outside) source static any any destination static obj-AnyconnectPool obj-AnyconnectPool no-proxy-arp route-lookup

object network obj-AnyconnectPool
 subnet 192.168.253.0 255.255.255.0
 description VPN users pool

 

I have my firewalls connected to switch so I created a port in the vlan they use and gave my PC a 192.168.254.x address (to bypass outside Firewall) and made sure VPN was working fine and routing correctly.  Then I moved to the outside of the firewall and changed my IP to a public IP address and tested from the Internet.  This way I knew if the problem was with my VPN appliance or my FW.


Good luck,

Bob

 

 

 

 

 

0 Helpful

Go to solution
michael Helmbo
Level 1
Level 1
In response to Bob Bagheri

‎07-24-2015 02:32 AM

Thanks for your reply. After playing with it yesterday and this morning I found out that the natting worked just fine when you did it directly to an ASA. But when you do it to the nattet vpn lb address then it doesn't work strangely enough.

So we have running now well enough for us to continue testing. 

0 Helpful
Customers Also Viewed These Support Documents