Cisco ASA Bridge for VPN Only
Is it possible to bridge an ASA and have it maintain the VPN. Here is my config
I wold like to bride the cisco so that the DHCP and port forwarding are all handled by the existing router making the ASA transparent but I need the ASA to maintain a VPN with a remote ASA.
-------(+)------(+)-----Internet
Cisco ^ RTR
ASA ^
192.168.0.X/2
I wold like to bride the cisco so that the DHCP and port forwarding are all handled by the existing router making the ASA transparent but I need the ASA to maintain a VPN with a remote ASA.
ASKER
Kinda what I figured. So what about that 1 to 1 NAT. How would one go about doing that?
Depends on what your ISP's "router" is. I assume it's a cable modem or dsl router. Look for something that says DMZ. It usually allows you to put a single IP in there to expose it to the internet. Enter the ASA's outside IP in this field. This creates a 1 to 1 NAT.
This would make the ISP's router forward all traffic it receives on it's public IP to the ASA bypassing the ISP's firewall and letting the ASA handle firewall tasks.
If you don't see that option you may have to do a port forwarding rule on the ISP's router which is usually called Port Forwarding and is sometimes mixed in a section called Gaming or something like that. You might need a rule for each service you want to allow in.
Your best bet is still to put the ISP's router in bridge mode if it is possible. Sometimes you have to call them to get instructions how.
This would make the ISP's router forward all traffic it receives on it's public IP to the ASA bypassing the ISP's firewall and letting the ASA handle firewall tasks.
If you don't see that option you may have to do a port forwarding rule on the ISP's router which is usually called Port Forwarding and is sometimes mixed in a section called Gaming or something like that. You might need a rule for each service you want to allow in.
Your best bet is still to put the ISP's router in bridge mode if it is possible. Sometimes you have to call them to get instructions how.
ASKER
That one I understand. I was hoping to use the cable modem for the configuration tasks. It is much simpler for my limited needs than having to wrestle the cisco when I do not speak fluent cisco-ese. I do agree that bridging the ISP router would make the most sense but I'm just not that comfortable at rapidly configuring the cisco ASA and I'm constantly dinking with port forwarding etc. Oh well, maybe it is time to tackle the education.
Education is always good :) And to fill the gaps in you're knowledge we're here as well ;)
Like stated by mcsween, I'd go for making the rtr bridged. That way you only have to manage one device instead of to (because the bridged router will be transparent). This will also prevent issues with 'routing' the VPN through the modem/rtr to the ASA.
And if you have any issues/questions, just ask us.
Like stated by mcsween, I'd go for making the rtr bridged. That way you only have to manage one device instead of to (because the bridged router will be transparent). This will also prevent issues with 'routing' the VPN through the modem/rtr to the ASA.
And if you have any issues/questions, just ask us.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the guidance. I will apply the knowledge as soon as set up the home office.
It is not good practice to have a device on the outside of your firewall maintaining services for the inside network. I would suggest creating an internal LAN subnet and setup DHCP services on the ASA to assign addresses to your internal nodes.
You will either have to put the ISP's router in bridged mode or create a 1 to 1 NAT (might be called port forwarding rule) on the ISP's router to forward all traffic from the WAN address of the ISP router to the WAN (192.168.0.x) address of your ASA. You may also have to turn off the firewall or create an exception on the ISP's router.