Problems adding NAT rule

Answered Question
Sep 3rd, 2010

Good morning,

I am trying to setup NAT rule to enable the connection to the VPN server from the outside in my ASA 5505. I already have configured a Lan to Lan VPN which is working fine, however, after adding the following Static NAT rule I lost connectivity with the Lan to Lan VPN.

static (inside,outside)  interface 192.168.1.211 netmask 255.255.255.255 tcp 0 0 udp 0

After applying, I get this error:

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

The scenario is:

2 interfaces (inside, outside)

VPN machine that will accept connections: 192.168.1.211

I am trying to forward all the VPN traffic from outside to the VPN machine

My configuration at this moment is as follows:

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list outside_access_in extended permit gre any 83.244.x.x 255.255.255.224

access-list outside_access_in extended permit gre any host 192.168.1.211

access-list outside_access_in extended permit tcp any 83.244.x.x 255.255.255.224 eq pptp

nat (inside) 0 access-list 101
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.203 3389 83.244.x.x 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
How can I manage to configure it to make my both VPN connections work?
I am using the ASDM since I am not expert on this.
Thank you for your help! Much appreciated

Regards,

Robert
I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 3 months ago

VPN runs on specific ports/protocols, so you would only need to redirect specific ports as you can't configure static one to one if you are using the ASA outside interface ip address for NATing.

Base on the configuration, I assume that you would like to redirect your PPTP traffic? If this is correct, here is what you would need to configure:

static (inside,outside) tcp interface 1723 192.168.1.211 1723 netmask 255.255.255.255

and you would also need to enable PPTP inspection.

Alternatively, if you have spare public ip address that you would like to use, then you can configure static 1 to 1 NAT:

static (inside,outside) 83.244.x.x 192.168.1.211

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 09/03/2010 - 04:39

VPN runs on specific ports/protocols, so you would only need to redirect specific ports as you can't configure static one to one if you are using the ASA outside interface ip address for NATing.

Base on the configuration, I assume that you would like to redirect your PPTP traffic? If this is correct, here is what you would need to configure:

static (inside,outside) tcp interface 1723 192.168.1.211 1723 netmask 255.255.255.255

and you would also need to enable PPTP inspection.

Alternatively, if you have spare public ip address that you would like to use, then you can configure static 1 to 1 NAT:

static (inside,outside) 83.244.x.x 192.168.1.211

Hope that helps.

robertovd Fri, 09/03/2010 - 05:16

Thanks a lot for your fast response halijenn.

I've just added the Static NAT rule.

For the PPTP inspection, for which interface I have to enable it? inside or outside?


Thanks!


Robert

Jennifer Halim Fri, 09/03/2010 - 05:31

Please enable it globally.

From ASDM: Configuration --> Firewall --> Service Policy Rules --> highlight "Inspection_Default" --> edit button --> go to "Rule Actions" tab --> tick "PPTP" --> OK --> Apply

Hope that helps.

robertovd Fri, 09/03/2010 - 05:36

Great! Done!


Thank you!! Will inform you on the results


Robert

Actions

This Discussion

Related Content