Solved

Cisco ASA VPN and port forwading issue

Posted on 2007-11-24
5
1,828 Views
Last Modified: 2013-11-16
If I am using a Cisco ASA 5505 (running ASA 7.2(3)) with a single, static public IP on the outside, can I terminate an IPSEC VPN as well as do port forwarding (static PAT) on that single static address?

For example, I have a config like:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.5.5.5 255.255.255.0

I then port forward from that outside address to an inside host for Remote Desktop management from the outside:

static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255

My general nat works fine for all of the hosts:

global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0

But then if I add a VPN tunnel that terminates on that same outside interface, (including the nat 0 command specifying interesting traffic), the VPN does not ever come up correctly, and it appears from the log entries that some or all of the IKE phase 1 negotiation packets are getting redirected to the 192.168.0.10 host, even though that IKE negotiation should have nothing to do with TCP port 3389.

If I remove the static PAT rule then the VPN functions correctly.

That brings up the general question, can I terminate a VPN on the outside interface and port forward via Static (PAT) on the outside interafce at the same time?  I would think the answer should be yes as a much less expensive Linksys NAT router can do so.  But I cannot get it to work on the 5505.

Thanks for any help.
wondra.john@gmail.com








0
Comment
Question by:Jwondra
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20344298
Yes, you can.
Are you trying to do a lan-2-lan IPSEC tunnel, or a vpn client IPSEC config? Did you use the VPN wizard on the ASA?
0
 

Author Comment

by:Jwondra
ID: 20344372
It is a lan-2-lan IP SEC tunnel.

I did the base config manually via the command line, then used the VPN wizard and the GUI to do the VPN portion.  Of ocurse, I have been tweaking it now and making modifications and optimizations to it now.

I thought the sysopt command might be a factor, but I have tried it both with and without that command.

I'm glad you confirmed that his should work.  I sure think it should.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20345709
If you post your complete config I might be able to help you out
0
 

Author Comment

by:Jwondra
ID: 20345862
Well, here's the weird part.  It's now working!  

I can create an IPSEC tunnel on the outside interface and correctly PAT the RDP (TCP 3389) packets on that outside interface, as well.  Excatly as you would think it should work.

I made no net change to the config compared to when it was not working.  What I did do was remove and then re-add the static PAT entry several times in the process of my debugging and testing, and I can only gues that it finally got into the running config correctly.  Maybe there was some internal issue in the box as far as how it processes the config and builds its own internal tables, etc.?

I definitely appreciate your verifying that what I was trying to do was within the range of possibilities and normal working range of the ASA.  I was pretty sure it was, but having an expert to confirm it was very valuable.

Thanks!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 20346104
Probably had to do with nat timeouts where all the existing xlates finally timed out.
Whenever you add or change a static, issue the "clear xlate" command and the changes will be immediate.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Two SSIDs serviced and broadcast on different bands within the same AP 2 26
Hit router interface limit 7 37
Deny permission ACL 16 26
Cisco EIGRP Network 6 20
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question