Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 behind other firewall

I have a feeling I'm trying to bypass the primary functionality of an ASA..but might as well pose the questions.

I've got an existing home-office lab network that relies on a Netscreen device as the firewall, using it to map a variety of lab servers/services to the public netblock I have from my ISP.  I am installing the ASA for two reasons - testing IPSec VPN & testing SSL VPN.

I was hoping to configure up only an 'inside' network interface on the ASA for the home-office/lab network, map the private IP to an available public IP via the Netscreen, and then configure firewall policy on the Netscreen to allow the necessary ports/protocols for IPSec VPN/SSL VPN.

Every piece of documentation I'm finding seems to indicate that the ASA's 'outside' interface has to be configured on a different network for, really, any of it's features to work.

Can someone help me shed some light - is it possible for the ASA to support incoming VPN connections if only an 'inside' interface is configured?

I'm just not interested in setting up another firewall (the ASA) or replacing the existing Netscreen.

Thanks for your insight.

Everyone's tags (3)
3 REPLIES
Cisco Employee

Re: ASA 5505 behind other firewall

Hello,

Yes, you can configure only one interface (you can call it inside or

outside, doesn't matter) and terminate the VPN connection on that. You need

to make sure that

Proper NAT is configured for the VPN traffic to exit out of the firewall

and access your internal resources (you need to configure "global (outside)

1 interface" followed by "nat (outside) 1 0.0.0.0 0.0.0.0" or if you are not

intending to use NAT, then "nat (outside) 0 0.0.0.0 0.0.0.0")

You have enabled "same-security-traffic permit intra-interface" command on

the firewall

You have configured your outer firewall such that all IPSec traffic is

entering without any modifications. You have one-to-one NAT configured for

the ASA IP on the outer firewall.

ASA has proper routing information so it can talk to internal hosts as

well as external devices

Hope this helps.

Regards,

NT

New Member

Re: ASA 5505 behind other firewall

Thanks for the reply and confirmation Nagaraja, appreciate it.  Let me make sure I understand what you're saying...I'm a bit of a rookie working with Cisco hardware.

Yes, you can configure only one interface (you can call it inside or outside, doesn't matter) and terminate the VPN connection on that.

The ASA is wired up on Ethernet 0/1.  I'm going to refer to the interface as 'inside' & it has an IP of 10.0.20.47 on my LAN.  The Netscreen device maps UDP 4500/500/10000 from the private IP to the public IP 72.214.13.XX.

You need to make sure that -


1. Proper NAT is configured for the VPN traffic to exit out of the firewall and access your internal resources.

2. You need to configure "global (outside) 1 interface" followed by "nat (outside) 1 0.0.0.0 0.0.0.0".

3. Or if you are not intending to use NAT, then "nat (outside) 0 0.0.0.0 0.0.0.0".

Honestly, I don't know that NAT will be necessary.  So in my case, use 'inside' instead and execute similar commands from CLI?


4. You have enabled "same-security-traffic permit intra-interface" command on the firewall

Interesting, I'll look up the equivalent action in ASDM as well.


5. You have configured your outer firewall such that all IPSec traffic is entering without any modifications.


6. You have one-to-one NAT configured for the ASA IP on the outer firewall.

I believe 5 & 6 are accomplished already, see above statement about mapping UDP ports.


7. ASA has proper routing information so it can talk to internal hosts as well as external devices.

How might I verify whether this is done or not?

Thanks again.

Cisco Employee

Re: ASA 5505 behind other firewall

Hello,

On the ASA, you need to have a route entry that points the default gateway

to the netscreen device. Other than that, if you have any other subnets

(internal to your network), proper route entries should be given on the

firewall. You can check the connectivity by Ping or other tests.

Hope this helps.

Regards,

NT

3260
Views
0
Helpful
3
Replies
CreatePlease to create content