Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN and DMZ at same time with one public IP / ASA5505

Hi,

my network layout is like this:

To reach my webswerver I made a static NAT-rule for DMZ webserver/outside. At this moment it is no more possible to build IPsec-connection from my iPhone to the inside-network.

What can I do?

regards

Jürgen

 

 

 

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

I should be more precise.

I should be more precise. What I mean is that when configuring your rule and access-list for the web server, we tell it to use only one port and redirect it to something other than 443 (PAT) instead of the entire address (static NAT), which includes all ports.

So for instance, if your web server was listening on port 443, we would instead have incoming requests be on 4443 via the following object NAT and access-list:

      object network tswebserver
        host 1.1.1.1
        description test
        nat (dmz,outside) static interface service tcp 443 4443

     access-list outside_access_in line 1 extended permit tcp any object tswebserver eq 4443

If you are only serving up http (tcp/80) then you don't need the service bit in the nat rule and replace all the 4443 in the access-list with 80.

5 REPLIES
Hall of Fame Super Silver

For SSL VPN to work, the ASA

For SSL VPN to work, the ASA uses tcp/443 on the outside interface.

You'll need to either use a second public IP for your web server NAT or else map it to a port other than 443. 

New Member

Thanks for your answer! My

Thanks for your answer! My web server nat is mappend to port 80 - I think, because it works. Look at tsw22.i234.me.

When I look at the exempt-rule fpr vpn there is no possibility for port-mapping. See here: ...Attachment

 

 

What settings I have to do for VPN-port-mapping?

regards

Jürgen

Hall of Fame Super Silver

I should be more precise.

I should be more precise. What I mean is that when configuring your rule and access-list for the web server, we tell it to use only one port and redirect it to something other than 443 (PAT) instead of the entire address (static NAT), which includes all ports.

So for instance, if your web server was listening on port 443, we would instead have incoming requests be on 4443 via the following object NAT and access-list:

      object network tswebserver
        host 1.1.1.1
        description test
        nat (dmz,outside) static interface service tcp 443 4443

     access-list outside_access_in line 1 extended permit tcp any object tswebserver eq 4443

If you are only serving up http (tcp/80) then you don't need the service bit in the nat rule and replace all the 4443 in the access-list with 80.

New Member

Thank you very much!I will

Thank you very much!

I will test.

Regards

Jürgen

New Member

It works - thank you again

It works - thank you again!

Regards

Jürgen

103
Views
0
Helpful
5
Replies
This widget could not be displayed.