Re-direct DMZ IP Back to Outside Interface

terrygwazdosky · ‎08-16-2010

My current setup has an ASA and a VPN3k with a public IP in the DMZ. I've successfully tested using the ASA to terminate VPN connections and am planning on how best to retire the VPN3k.

Here is an example using private range IPs to represent the public IPs:

VPN3k IP - 192.168.100.1

ASA outside interface IP - 192.168.0.1

As a temporary measure could I re-direct traffic bound for the VPN3k's public IP to to the ASA's outside interface IP so that the ASA will then terminate the VPN connections? I realize I'll have to re-create the groups on the VPN3k to tunnel groups on the ASA. I'm thinking something like this:

static (DMZ,outside) interface 192.168.100.1 netmask 255.255.255.255

Will this work?

Loren Kolnes · ‎08-19-2010

Hi,

This would require that IPSec and ISAKMP be disabled on the ASA completely and that the 3K setup for nat traversal.

If the tunnel requires the use of ESP, protocol 50, then this will not work.

You would need to create a prot map for each protocol, so in this case UDP/500 and UDP/4500.

static (inside,outside) udp interface isakmp 192.168.100.1 isakmp netmask 255.2552.255.255

static (inside,outside) udp interface 4500 192.168.100.1 4500 netmask 255.255.255.255

Hope this helps.

terrygwazdosky · ‎08-20-2010

Thanks for the reply. Unfortunately ESP is a necessity so this won't work for me. The TAC came up with a fairly complicated scheme to accomplish this, but I fell back to using the VPN3k to push new config files to the clients.

Nagaraja Thanthry · ‎08-20-2010

Hello,

I don't think you can make the connections terminate on the outside of the ASA for a different IP other than the interface IP. You have one of the two options:

1. Keep the 3K

2. Change the IP of the ASA outside interface to that of 3K

Hope this helps.

Regards,

NT