In that case we need to

mightyteegar · ‎10-15-2014

Our customer has an ASA 5505 Sec Plus connected to their WAN with two networks behind it: the customer's internal network and a vendor-provided and -managed network. The vendor wants to set up their own Fortigate box to provide VPN access into their network. They need a WAN IP address for the Fortigate and we plan to assign them an address of 20.20.20.4 (not the real address, of course). We have free ports on the ASA so I plan to tell the vendor to use port #5.

How do I configure the ASA to pass all traffic destined for 20.20.20.4 to this box with no restrictions?

TIA

Prashant Joshi · ‎10-15-2014

Hi,

what subnet do you have on your vendor-provided network , I mean private or public.If it is private then you need to configure one to one NAT from one of the free ASA routable IP to Fortigate private IP and allow specific ports needed (4500,500).

If it is routable IP subnet, then you just need to allow specific ports on ASA.

Thanks,

Prashant Joshi

mightyteegar · ‎10-16-2014

The vendor LAN is a private 10.x.x.x space. It will end up behind the Fortigate with the FG as the default gateway for the vendor LAN. The FG WAN port will take IP address 20.20.20.4 so I want to tell the ASA "anything destined for that WAN address just send it to the Fortigate and let it handle filtering".

Prashant Joshi · ‎10-16-2014

Hi,

If its the same ISP, you need to configure port #5 of your ASA 5505 to be in the same outside VLAN (internet connection) and Fortigate will have IP 20.20.20.4 and gateway same as ASA (ISP router)

Vlan30 10.10.10.10 YES CONFIG up up
Vlan20 20.20.20.2 YES CONFIG up up

Vlan30 inside 100
Vlan20 outside 0

interface Ethernet0/5
switchport access vlan 20

Thanks,

Prashant Joshi

mightyteegar · ‎10-20-2014

Prashant, I apologize, I should have mentioned this additional information before. We're working with two ISP IP spaces: one is the aforementioned 20.20.20.x network which is a /27 and is our "usable address space", but there is also a 100.100.100.x/30 network that only contains the ASA outside VLAN interface (.2) and the ISP gateway's interface (.1).

All traffic destined for the 20.20.20.x/27 network arrives on the outside port -- I confirm this in the ASDM logs. However, the actual outside VLAN interface address is 100.100.100.2. I wouldn't be able to put the Fortigate in the outside VLAN, would I?

Prashant Joshi · ‎10-20-2014

In that case we need to configure one more VLAN Y on the ASA with one of the free IP in 20.x subnet and thereafter connect you FG firewall ASA port ( configured as access vlan Y) and thereafter create ACL to allow traffic to the FW firewall.

We need to create an identity static NAT for FG FW IP as well.

static (dmz,outside) 20.20.20.x 20.20.20.x 255.255.255.0

where 20.20.20.x is the FG FW IP

Thanks,

Prashant Joshi

mightyteegar · ‎10-24-2014

Prashant, this makes sense. The vendor will be shipping the VPN box out next week so if all goes well I will update your answer as Correct.

VPN pass thru ASA to a third party box