Cisco ASA VPN and port forwading issue
Posted on 2007-11-24
If I am using a Cisco ASA 5505 (running ASA 7.2(3)) with a single, static public IP on the outside, can I terminate an IPSEC VPN as well as do port forwarding (static PAT) on that single static address?
For example, I have a config like:
ip address 192.168.0.1 255.255.255.0
ip address 126.96.36.199 255.255.255.0
I then port forward from that outside address to an inside host for Remote Desktop management from the outside:
static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255
My general nat works fine for all of the hosts:
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
But then if I add a VPN tunnel that terminates on that same outside interface, (including the nat 0 command specifying interesting traffic), the VPN does not ever come up correctly, and it appears from the log entries that some or all of the IKE phase 1 negotiation packets are getting redirected to the 192.168.0.10 host, even though that IKE negotiation should have nothing to do with TCP port 3389.
If I remove the static PAT rule then the VPN functions correctly.
That brings up the general question, can I terminate a VPN on the outside interface and port forward via Static (PAT) on the outside interafce at the same time? I would think the answer should be yes as a much less expensive Linksys NAT router can do so. But I cannot get it to work on the 5505.
Thanks for any help.