Solved

Cisco ASA VPN and port forwading issue

Posted on 2007-11-24
5
1,823 Views
Last Modified: 2013-11-16
If I am using a Cisco ASA 5505 (running ASA 7.2(3)) with a single, static public IP on the outside, can I terminate an IPSEC VPN as well as do port forwarding (static PAT) on that single static address?

For example, I have a config like:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.5.5.5 255.255.255.0

I then port forward from that outside address to an inside host for Remote Desktop management from the outside:

static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255

My general nat works fine for all of the hosts:

global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0

But then if I add a VPN tunnel that terminates on that same outside interface, (including the nat 0 command specifying interesting traffic), the VPN does not ever come up correctly, and it appears from the log entries that some or all of the IKE phase 1 negotiation packets are getting redirected to the 192.168.0.10 host, even though that IKE negotiation should have nothing to do with TCP port 3389.

If I remove the static PAT rule then the VPN functions correctly.

That brings up the general question, can I terminate a VPN on the outside interface and port forward via Static (PAT) on the outside interafce at the same time?  I would think the answer should be yes as a much less expensive Linksys NAT router can do so.  But I cannot get it to work on the 5505.

Thanks for any help.
wondra.john@gmail.com








0
Comment
Question by:Jwondra
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, you can.
Are you trying to do a lan-2-lan IPSEC tunnel, or a vpn client IPSEC config? Did you use the VPN wizard on the ASA?
0
 

Author Comment

by:Jwondra
Comment Utility
It is a lan-2-lan IP SEC tunnel.

I did the base config manually via the command line, then used the VPN wizard and the GUI to do the VPN portion.  Of ocurse, I have been tweaking it now and making modifications and optimizations to it now.

I thought the sysopt command might be a factor, but I have tried it both with and without that command.

I'm glad you confirmed that his should work.  I sure think it should.

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you post your complete config I might be able to help you out
0
 

Author Comment

by:Jwondra
Comment Utility
Well, here's the weird part.  It's now working!  

I can create an IPSEC tunnel on the outside interface and correctly PAT the RDP (TCP 3389) packets on that outside interface, as well.  Excatly as you would think it should work.

I made no net change to the config compared to when it was not working.  What I did do was remove and then re-add the static PAT entry several times in the process of my debugging and testing, and I can only gues that it finally got into the running config correctly.  Maybe there was some internal issue in the box as far as how it processes the config and builds its own internal tables, etc.?

I definitely appreciate your verifying that what I was trying to do was within the range of possibilities and normal working range of the ASA.  I was pretty sure it was, but having an expert to confirm it was very valuable.

Thanks!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
Probably had to do with nat timeouts where all the existing xlates finally timed out.
Whenever you add or change a static, issue the "clear xlate" command and the changes will be immediate.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now