[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco ASA VPN and port forwading issue

Posted on 2007-11-24
5
Medium Priority
?
1,838 Views
Last Modified: 2013-11-16
If I am using a Cisco ASA 5505 (running ASA 7.2(3)) with a single, static public IP on the outside, can I terminate an IPSEC VPN as well as do port forwarding (static PAT) on that single static address?

For example, I have a config like:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.5.5.5 255.255.255.0

I then port forward from that outside address to an inside host for Remote Desktop management from the outside:

static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255

My general nat works fine for all of the hosts:

global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0

But then if I add a VPN tunnel that terminates on that same outside interface, (including the nat 0 command specifying interesting traffic), the VPN does not ever come up correctly, and it appears from the log entries that some or all of the IKE phase 1 negotiation packets are getting redirected to the 192.168.0.10 host, even though that IKE negotiation should have nothing to do with TCP port 3389.

If I remove the static PAT rule then the VPN functions correctly.

That brings up the general question, can I terminate a VPN on the outside interface and port forward via Static (PAT) on the outside interafce at the same time?  I would think the answer should be yes as a much less expensive Linksys NAT router can do so.  But I cannot get it to work on the 5505.

Thanks for any help.
wondra.john@gmail.com








0
Comment
Question by:Jwondra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20344298
Yes, you can.
Are you trying to do a lan-2-lan IPSEC tunnel, or a vpn client IPSEC config? Did you use the VPN wizard on the ASA?
0
 

Author Comment

by:Jwondra
ID: 20344372
It is a lan-2-lan IP SEC tunnel.

I did the base config manually via the command line, then used the VPN wizard and the GUI to do the VPN portion.  Of ocurse, I have been tweaking it now and making modifications and optimizations to it now.

I thought the sysopt command might be a factor, but I have tried it both with and without that command.

I'm glad you confirmed that his should work.  I sure think it should.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20345709
If you post your complete config I might be able to help you out
0
 

Author Comment

by:Jwondra
ID: 20345862
Well, here's the weird part.  It's now working!  

I can create an IPSEC tunnel on the outside interface and correctly PAT the RDP (TCP 3389) packets on that outside interface, as well.  Excatly as you would think it should work.

I made no net change to the config compared to when it was not working.  What I did do was remove and then re-add the static PAT entry several times in the process of my debugging and testing, and I can only gues that it finally got into the running config correctly.  Maybe there was some internal issue in the box as far as how it processes the config and builds its own internal tables, etc.?

I definitely appreciate your verifying that what I was trying to do was within the range of possibilities and normal working range of the ASA.  I was pretty sure it was, but having an expert to confirm it was very valuable.

Thanks!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 20346104
Probably had to do with nat timeouts where all the existing xlates finally timed out.
Whenever you add or change a static, issue the "clear xlate" command and the changes will be immediate.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question