Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
5
Replies

VPN and DMZ at same time with one public IP / ASA5505

Go to solution
tswinfo01
Level 1
Level 1

‎05-06-2014 04:33 AM - edited ‎03-11-2019 09:09 PM

Hi,

my network layout is like this:

To reach my webswerver I made a static NAT-rule for DMZ webserver/outside. At this moment it is no more possible to build IPsec-connection from my iPhone to the inside-network.

What can I do?

regards

Jürgen

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tswinfo01

‎05-06-2014 03:57 PM

I should be more precise. What I mean is that when configuring your rule and access-list for the web server, we tell it to use only one port and redirect it to something other than 443 (PAT) instead of the entire address (static NAT), which includes all ports.

So for instance, if your web server was listening on port 443, we would instead have incoming requests be on 4443 via the following object NAT and access-list:

      object network tswebserver
        host 1.1.1.1
        description test
        nat (dmz,outside) static interface service tcp 443 4443

     access-list outside_access_in line 1 extended permit tcp any object tswebserver eq 4443

If you are only serving up http (tcp/80) then you don't need the service bit in the nat rule and replace all the 4443 in the access-list with 80.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-06-2014 05:07 AM

For SSL VPN to work, the ASA uses tcp/443 on the outside interface.

You'll need to either use a second public IP for your web server NAT or else map it to a port other than 443. 

0 Helpful

Go to solution
tswinfo01
Level 1
Level 1
In response to Marvin Rhoads

‎05-06-2014 01:11 PM

Thanks for your answer! My web server nat is mappend to port 80 - I think, because it works. Look at tsw22.i234.me.

When I look at the exempt-rule fpr vpn there is no possibility for port-mapping. See here: ...Attachment

 

 

What settings I have to do for VPN-port-mapping?

regards

Jürgen

Preview file
40 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tswinfo01

‎05-06-2014 03:57 PM

I should be more precise. What I mean is that when configuring your rule and access-list for the web server, we tell it to use only one port and redirect it to something other than 443 (PAT) instead of the entire address (static NAT), which includes all ports.

So for instance, if your web server was listening on port 443, we would instead have incoming requests be on 4443 via the following object NAT and access-list:

      object network tswebserver
        host 1.1.1.1
        description test
        nat (dmz,outside) static interface service tcp 443 4443

     access-list outside_access_in line 1 extended permit tcp any object tswebserver eq 4443

If you are only serving up http (tcp/80) then you don't need the service bit in the nat rule and replace all the 4443 in the access-list with 80.

0 Helpful

Go to solution
tswinfo01
Level 1
Level 1
In response to Marvin Rhoads

‎05-07-2014 09:18 AM

Thank you very much!

I will test.

Regards

Jürgen

0 Helpful

Go to solution
tswinfo01
Level 1
Level 1
In response to tswinfo01

‎05-08-2014 11:15 AM

It works - thank you again!

Regards

Jürgen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card