Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
0
Helpful
4
Replies

VPN ASA 5505 + PAT on the same public IP Address

Go to solution
Diego Rigorini
Level 1
Level 1

‎10-11-2017 02:22 AM - edited ‎03-12-2019 04:37 AM

I'm a newbie in Cisco configuration and I face a problem.

 

I have 2 ASA 5505 in two different branches. A VPN is established.

 

On the second branch I have only 1 public static IP that is used for the outside address of the ASA.

I need to make a PAT to publish the www port of a server but if I try to config the PAT I receive the error that say I can't do it because there is an address overlap with the outside address.

I cannot upgrade to a subnet of 8 IP.

There is a way to accomplish that keeping my VPN up?

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to Diego Rigorini

‎10-11-2017 06:44 AM

Hello @Diego Rigorini,

 

In order to make it work, you need to use the keyword "Interface" since if you don´t the ASA will think this is a new IP address and when it checks it finds is the same as the outside interface, that´s why you have the error, change it for this: 

 

Object network mytest
nat (inside,outside) static interface service tcp www www

 

HTH

Gio

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-11-2017 04:48 AM

When you say VPN do you mean a remote access SSL VPN? By default that uses port 443 but you can change it to some other port and thus free up 443 for your web server.

 

Instructions for doing that can be found here:

 

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html#anc10

0 Helpful

Go to solution
Diego Rigorini
Level 1
Level 1
In response to Marvin Rhoads

‎10-11-2017 05:02 AM

No, it's a site-so-site IPSec VPN established between two branches.
The ports I need are not used by any service actually.
This is the configuration of the outside interface

interface Vlan2
nameif outside
security-level 0
ip address 83.xx.xx.221 255.255.255.255
!

I tried the following

Object network mytest
nat (inside,outside) static 83.xx.xx.221 service tcp www www

And I get the error

ERROR: Address 83.xx.xx.221 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

How can I do it without breaking my VPN?

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to Diego Rigorini

‎10-11-2017 06:44 AM

Hello @Diego Rigorini,

 

In order to make it work, you need to use the keyword "Interface" since if you don´t the ASA will think this is a new IP address and when it checks it finds is the same as the outside interface, that´s why you have the error, change it for this: 

 

Object network mytest
nat (inside,outside) static interface service tcp www www

 

HTH

Gio

0 Helpful

Go to solution
Diego Rigorini
Level 1
Level 1
In response to GioGonza

‎10-12-2017 02:16 AM

It works!

 

Thank you very much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents