cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1399
Views
0
Helpful
4
Replies

Problems adding NAT rule

robertovd
Level 1
Level 1

Good morning,

I am trying to setup NAT rule to enable the connection to the VPN server from the outside in my ASA 5505. I already have configured a Lan to Lan VPN which is working fine, however, after adding the following Static NAT rule I lost connectivity with the Lan to Lan VPN.

static (inside,outside)  interface 192.168.1.211 netmask 255.255.255.255 tcp 0 0 udp 0

After applying, I get this error:

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

The scenario is:

2 interfaces (inside, outside)

VPN machine that will accept connections: 192.168.1.211

I am trying to forward all the VPN traffic from outside to the VPN machine

My configuration at this moment is as follows:

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list outside_access_in extended permit gre any 83.244.x.x 255.255.255.224

access-list outside_access_in extended permit gre any host 192.168.1.211

access-list outside_access_in extended permit tcp any 83.244.x.x 255.255.255.224 eq pptp

nat (inside) 0 access-list 101
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.203 3389 83.244.x.x 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
How can I manage to configure it to make my both VPN connections work?
I am using the ASDM since I am not expert on this.
Thank you for your help! Much appreciated

Regards,

Robert

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

VPN runs on specific ports/protocols, so you would only need to redirect specific ports as you can't configure static one to one if you are using the ASA outside interface ip address for NATing.

Base on the configuration, I assume that you would like to redirect your PPTP traffic? If this is correct, here is what you would need to configure:

static (inside,outside) tcp interface 1723 192.168.1.211 1723 netmask 255.255.255.255

and you would also need to enable PPTP inspection.

Alternatively, if you have spare public ip address that you would like to use, then you can configure static 1 to 1 NAT:

static (inside,outside) 83.244.x.x 192.168.1.211

Hope that helps.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

VPN runs on specific ports/protocols, so you would only need to redirect specific ports as you can't configure static one to one if you are using the ASA outside interface ip address for NATing.

Base on the configuration, I assume that you would like to redirect your PPTP traffic? If this is correct, here is what you would need to configure:

static (inside,outside) tcp interface 1723 192.168.1.211 1723 netmask 255.255.255.255

and you would also need to enable PPTP inspection.

Alternatively, if you have spare public ip address that you would like to use, then you can configure static 1 to 1 NAT:

static (inside,outside) 83.244.x.x 192.168.1.211

Hope that helps.

Thanks a lot for your fast response halijenn.

I've just added the Static NAT rule.

For the PPTP inspection, for which interface I have to enable it? inside or outside?


Thanks!


Robert

Please enable it globally.

From ASDM: Configuration --> Firewall --> Service Policy Rules --> highlight "Inspection_Default" --> edit button --> go to "Rule Actions" tab --> tick "PPTP" --> OK --> Apply

Hope that helps.

Great! Done!


Thank you!! Will inform you on the results


Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: