• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1840
  • Last Modified:

Cisco ASA VPN and port forwading issue

If I am using a Cisco ASA 5505 (running ASA 7.2(3)) with a single, static public IP on the outside, can I terminate an IPSEC VPN as well as do port forwarding (static PAT) on that single static address?

For example, I have a config like:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.5.5.5 255.255.255.0

I then port forward from that outside address to an inside host for Remote Desktop management from the outside:

static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask 255.255.255.255

My general nat works fine for all of the hosts:

global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0

But then if I add a VPN tunnel that terminates on that same outside interface, (including the nat 0 command specifying interesting traffic), the VPN does not ever come up correctly, and it appears from the log entries that some or all of the IKE phase 1 negotiation packets are getting redirected to the 192.168.0.10 host, even though that IKE negotiation should have nothing to do with TCP port 3389.

If I remove the static PAT rule then the VPN functions correctly.

That brings up the general question, can I terminate a VPN on the outside interface and port forward via Static (PAT) on the outside interafce at the same time?  I would think the answer should be yes as a much less expensive Linksys NAT router can do so.  But I cannot get it to work on the 5505.

Thanks for any help.
wondra.john@gmail.com








0
Jwondra
Asked:
Jwondra
  • 3
  • 2
1 Solution
 
lrmooreCommented:
Yes, you can.
Are you trying to do a lan-2-lan IPSEC tunnel, or a vpn client IPSEC config? Did you use the VPN wizard on the ASA?
0
 
JwondraAuthor Commented:
It is a lan-2-lan IP SEC tunnel.

I did the base config manually via the command line, then used the VPN wizard and the GUI to do the VPN portion.  Of ocurse, I have been tweaking it now and making modifications and optimizations to it now.

I thought the sysopt command might be a factor, but I have tried it both with and without that command.

I'm glad you confirmed that his should work.  I sure think it should.

0
 
lrmooreCommented:
If you post your complete config I might be able to help you out
0
 
JwondraAuthor Commented:
Well, here's the weird part.  It's now working!  

I can create an IPSEC tunnel on the outside interface and correctly PAT the RDP (TCP 3389) packets on that outside interface, as well.  Excatly as you would think it should work.

I made no net change to the config compared to when it was not working.  What I did do was remove and then re-add the static PAT entry several times in the process of my debugging and testing, and I can only gues that it finally got into the running config correctly.  Maybe there was some internal issue in the box as far as how it processes the config and builds its own internal tables, etc.?

I definitely appreciate your verifying that what I was trying to do was within the range of possibilities and normal working range of the ASA.  I was pretty sure it was, but having an expert to confirm it was very valuable.

Thanks!
0
 
lrmooreCommented:
Probably had to do with nat timeouts where all the existing xlates finally timed out.
Whenever you add or change a static, issue the "clear xlate" command and the changes will be immediate.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now