09-03-2010 03:51 AM - edited 03-11-2019 11:34 AM
Good morning,
I am trying to setup NAT rule to enable the connection to the VPN server from the outside in my ASA 5505. I already have configured a Lan to Lan VPN which is working fine, however, after adding the following Static NAT rule I lost connectivity with the Lan to Lan VPN.
static (inside,outside) interface 192.168.1.211 netmask 255.255.255.255 tcp 0 0 udp 0
After applying, I get this error:
WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.
The scenario is:
2 interfaces (inside, outside)
VPN machine that will accept connections: 192.168.1.211
I am trying to forward all the VPN traffic from outside to the VPN machine
My configuration at this moment is as follows:
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_access_in extended permit gre any 83.244.x.x 255.255.255.224
access-list outside_access_in extended permit gre any host 192.168.1.211
access-list outside_access_in extended permit tcp any 83.244.x.x 255.255.255.224 eq pptp
Solved! Go to Solution.
09-03-2010 04:39 AM
VPN runs on specific ports/protocols, so you would only need to redirect specific ports as you can't configure static one to one if you are using the ASA outside interface ip address for NATing.
Base on the configuration, I assume that you would like to redirect your PPTP traffic? If this is correct, here is what you would need to configure:
static (inside,outside) tcp interface 1723 192.168.1.211 1723 netmask 255.255.255.255
and you would also need to enable PPTP inspection.
Alternatively, if you have spare public ip address that you would like to use, then you can configure static 1 to 1 NAT:
static (inside,outside) 83.244.x.x 192.168.1.211
Hope that helps.
09-03-2010 04:39 AM
VPN runs on specific ports/protocols, so you would only need to redirect specific ports as you can't configure static one to one if you are using the ASA outside interface ip address for NATing.
Base on the configuration, I assume that you would like to redirect your PPTP traffic? If this is correct, here is what you would need to configure:
static (inside,outside) tcp interface 1723 192.168.1.211 1723 netmask 255.255.255.255
and you would also need to enable PPTP inspection.
Alternatively, if you have spare public ip address that you would like to use, then you can configure static 1 to 1 NAT:
static (inside,outside) 83.244.x.x 192.168.1.211
Hope that helps.
09-03-2010 05:16 AM
Thanks a lot for your fast response halijenn.
I've just added the Static NAT rule.
For the PPTP inspection, for which interface I have to enable it? inside or outside?
Thanks!
Robert
09-03-2010 05:31 AM
Please enable it globally.
From ASDM: Configuration --> Firewall --> Service Policy Rules --> highlight "Inspection_Default" --> edit button --> go to "Rule Actions" tab --> tick "PPTP" --> OK --> Apply
Hope that helps.
09-03-2010 05:36 AM
Great! Done!
Thank you!! Will inform you on the results
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide