I have a feeling I'm trying to bypass the primary functionality of an ASA..but might as well pose the questions.
I've got an existing home-office lab network that relies on a Netscreen device as the firewall, using it to map a variety of lab servers/services to the public netblock I have from my ISP. I am installing the ASA for two reasons - testing IPSec VPN & testing SSL VPN.
I was hoping to configure up only an 'inside' network interface on the ASA for the home-office/lab network, map the private IP to an available public IP via the Netscreen, and then configure firewall policy on the Netscreen to allow the necessary ports/protocols for IPSec VPN/SSL VPN.
Every piece of documentation I'm finding seems to indicate that the ASA's 'outside' interface has to be configured on a different network for, really, any of it's features to work.
Can someone help me shed some light - is it possible for the ASA to support incoming VPN connections if only an 'inside' interface is configured?
I'm just not interested in setting up another firewall (the ASA) or replacing the existing Netscreen.
Thanks for the reply and confirmation Nagaraja, appreciate it. Let me make sure I understand what you're saying...I'm a bit of a rookie working with Cisco hardware.
Yes, you can configure only one interface (you can call it inside or outside, doesn't matter) and terminate the VPN connection on that.
The ASA is wired up on Ethernet 0/1. I'm going to refer to the interface as 'inside' & it has an IP of 10.0.20.47 on my LAN. The Netscreen device maps UDP 4500/500/10000 from the private IP to the public IP 72.214.13.XX.
You need to make sure that -
1. Proper NAT is configured for the VPN traffic to exit out of the firewall and access your internal resources.
2. You need to configure "global (outside) 1 interface" followed by "nat (outside) 1 0.0.0.0 0.0.0.0".
3. Or if you are not intending to use NAT, then "nat (outside) 0 0.0.0.0 0.0.0.0".
Honestly, I don't know that NAT will be necessary. So in my case, use 'inside' instead and execute similar commands from CLI?
4. You have enabled "same-security-traffic permit intra-interface" command on the firewall
Interesting, I'll look up the equivalent action in ASDM as well.
5. You have configured your outer firewall such that all IPSec traffic is entering without any modifications.
6. You have one-to-one NAT configured for the ASA IP on the outer firewall.
I believe 5 & 6 are accomplished already, see above statement about mapping UDP ports.
7. ASA has proper routing information so it can talk to internal hosts as well as external devices.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :