Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA Bridge for VPN Only

Posted on 2013-11-04
7
Medium Priority
?
993 Views
Last Modified: 2013-11-11
Is it possible to bridge an ASA and have it maintain the VPN.  Here is my config

-------(+)------(+)-----Internet
      Cisco  ^  RTR
       ASA   ^
                 192.168.0.X/2

I wold like to bride the cisco so that the DHCP and port forwarding are all handled by the existing router making the ASA transparent but I need the ASA to maintain a VPN with a remote ASA.
0
Comment
Question by:sifugreg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 39622600
The ASA cannot be transparent if it is to be an endpoint for VPN.  The other ASA has to be able to communicate with it.

It is not good practice to have a device on the outside of your firewall maintaining services for the inside network.  I would suggest creating an internal LAN subnet and setup DHCP services on the ASA to assign addresses to your internal nodes.

You will either have to put the ISP's router in bridged mode or create a 1 to 1 NAT (might be called port forwarding rule) on the ISP's router to forward all traffic from the WAN address of the ISP router to the WAN (192.168.0.x) address of your ASA.  You may also have to turn off the firewall or create an exception on the ISP's router.
0
 
LVL 1

Author Comment

by:sifugreg
ID: 39622623
Kinda what I figured.  So what about that 1 to 1 NAT.  How would one go about doing that?
0
 
LVL 22

Expert Comment

by:mcsween
ID: 39622663
Depends on what your ISP's "router" is.  I assume it's a cable modem or dsl router.  Look for something that says DMZ.  It usually allows you to put a single IP in there to expose it to the internet.  Enter the ASA's outside IP in this field.  This creates a 1 to 1 NAT.

This would make the ISP's router forward all traffic it receives on it's public IP to the ASA bypassing the ISP's firewall and letting the ASA handle firewall tasks.

If you don't see that option you may have to do a port forwarding rule on the ISP's router which is usually called Port Forwarding and is sometimes mixed in a section called Gaming or something like that.  You might need a rule for each service you want to allow in.

Your best bet is still to put the ISP's router in bridge mode if it is possible.  Sometimes you have to call them to get instructions how.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:sifugreg
ID: 39622692
That one I understand.  I was hoping to use the cable modem for the configuration tasks.  It is much simpler for my limited needs than having to wrestle the cisco when I do not speak fluent cisco-ese.  I do agree that bridging the ISP router would make the most sense but I'm just not that comfortable at rapidly configuring the cisco ASA and I'm constantly dinking with port forwarding etc.  Oh well, maybe it is time to tackle the education.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39623682
Education is always good :) And to fill the gaps in you're knowledge we're here as well ;)

Like stated by mcsween, I'd go for making the rtr bridged. That way you only have to manage one device instead of to (because the bridged router will be transparent). This will also prevent issues with 'routing' the VPN through the modem/rtr to the ASA.

And if you have any issues/questions, just ask us.
0
 
LVL 22

Accepted Solution

by:
mcsween earned 2000 total points
ID: 39624468
Two commands that will get just about everything done on an ASA as far as ports, firewall, or NAT.

Firewall -
access-list 'ACL NAME' extended Permit/deny type port source destination

Open in new window

so to allow access to a web server on ip 24.24.24.24 from anywhere you would use
access-list ouside_access_in extended permit tcp 80 any 24.24.24.24 255.255.255.255

Open in new window


NAT -
Static (inside, outside) type publicIP public_Port privateIP private_port netmask 'subnet'

Open in new window

so to forward the port to an internal server at 192.168.0.10 for the firewall rule above you would use
static (inside,outside) tcp 24.24.24.24 80 192.168.0.10 80 netmask 255.255.255.255

Open in new window

0
 
LVL 1

Author Closing Comment

by:sifugreg
ID: 39639535
Thanks for the guidance.  I will apply the knowledge as soon as set up the home office.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question