Solved

Cisco ASA VPN and port forwading issue

Posted on 2007-11-24
5
1,824 Views
Last Modified: 2013-11-16
If I am using a Cisco ASA 5505 (running ASA 7.2(3)) with a single, static public IP on the outside, can I terminate an IPSEC VPN as well as do port forwarding (static PAT) on that single static address?

For example, I have a config like:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.5.5.5 255.255.255.0

I then port forward from that outside address to an inside host for Remote Desktop management from the outside:

static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255

My general nat works fine for all of the hosts:

global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0

But then if I add a VPN tunnel that terminates on that same outside interface, (including the nat 0 command specifying interesting traffic), the VPN does not ever come up correctly, and it appears from the log entries that some or all of the IKE phase 1 negotiation packets are getting redirected to the 192.168.0.10 host, even though that IKE negotiation should have nothing to do with TCP port 3389.

If I remove the static PAT rule then the VPN functions correctly.

That brings up the general question, can I terminate a VPN on the outside interface and port forward via Static (PAT) on the outside interafce at the same time?  I would think the answer should be yes as a much less expensive Linksys NAT router can do so.  But I cannot get it to work on the 5505.

Thanks for any help.
wondra.john@gmail.com








0
Comment
Question by:Jwondra
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20344298
Yes, you can.
Are you trying to do a lan-2-lan IPSEC tunnel, or a vpn client IPSEC config? Did you use the VPN wizard on the ASA?
0
 

Author Comment

by:Jwondra
ID: 20344372
It is a lan-2-lan IP SEC tunnel.

I did the base config manually via the command line, then used the VPN wizard and the GUI to do the VPN portion.  Of ocurse, I have been tweaking it now and making modifications and optimizations to it now.

I thought the sysopt command might be a factor, but I have tried it both with and without that command.

I'm glad you confirmed that his should work.  I sure think it should.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20345709
If you post your complete config I might be able to help you out
0
 

Author Comment

by:Jwondra
ID: 20345862
Well, here's the weird part.  It's now working!  

I can create an IPSEC tunnel on the outside interface and correctly PAT the RDP (TCP 3389) packets on that outside interface, as well.  Excatly as you would think it should work.

I made no net change to the config compared to when it was not working.  What I did do was remove and then re-add the static PAT entry several times in the process of my debugging and testing, and I can only gues that it finally got into the running config correctly.  Maybe there was some internal issue in the box as far as how it processes the config and builds its own internal tables, etc.?

I definitely appreciate your verifying that what I was trying to do was within the range of possibilities and normal working range of the ASA.  I was pretty sure it was, but having an expert to confirm it was very valuable.

Thanks!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 20346104
Probably had to do with nat timeouts where all the existing xlates finally timed out.
Whenever you add or change a static, issue the "clear xlate" command and the changes will be immediate.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stack Switches in IOU  web V22 6 60
Radius Debug Error 16 43
Cisco CUCM 10.5: password recovery 2 45
RDP ISR4321 Cisco Router 7 23
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now