10-15-2014 08:12 AM - edited 03-11-2019 09:56 PM
Our customer has an ASA 5505 Sec Plus connected to their WAN with two networks behind it: the customer's internal network and a vendor-provided and -managed network. The vendor wants to set up their own Fortigate box to provide VPN access into their network. They need a WAN IP address for the Fortigate and we plan to assign them an address of 20.20.20.4 (not the real address, of course). We have free ports on the ASA so I plan to tell the vendor to use port #5.
How do I configure the ASA to pass all traffic destined for 20.20.20.4 to this box with no restrictions?
TIA
10-15-2014 10:54 PM
Hi,
what subnet do you have on your vendor-provided network , I mean private or public.If it is private then you need to configure one to one NAT from one of the free ASA routable IP to Fortigate private IP and allow specific ports needed (4500,500).
If it is routable IP subnet, then you just need to allow specific ports on ASA.
Thanks,
Prashant Joshi
10-16-2014 07:24 AM
The vendor LAN is a private 10.x.x.x space. It will end up behind the Fortigate with the FG as the default gateway for the vendor LAN. The FG WAN port will take IP address 20.20.20.4 so I want to tell the ASA "anything destined for that WAN address just send it to the Fortigate and let it handle filtering".
10-16-2014 05:39 PM
Hi,
If its the same ISP, you need to configure port #5 of your ASA 5505 to be in the same outside VLAN (internet connection) and Fortigate will have IP 20.20.20.4 and gateway same as ASA (ISP router)
Vlan30 10.10.10.10 YES CONFIG up up
Vlan20 20.20.20.2 YES CONFIG up up
Vlan30 inside 100
Vlan20 outside 0
interface Ethernet0/5
switchport access vlan 20
Thanks,
Prashant Joshi
10-20-2014 07:29 AM
Prashant, I apologize, I should have mentioned this additional information before. We're working with two ISP IP spaces: one is the aforementioned 20.20.20.x network which is a /27 and is our "usable address space", but there is also a 100.100.100.x/30 network that only contains the ASA outside VLAN interface (.2) and the ISP gateway's interface (.1).
All traffic destined for the 20.20.20.x/27 network arrives on the outside port -- I confirm this in the ASDM logs. However, the actual outside VLAN interface address is 100.100.100.2. I wouldn't be able to put the Fortigate in the outside VLAN, would I?
10-20-2014 11:24 PM
In that case we need to configure one more VLAN Y on the ASA with one of the free IP in 20.x subnet and thereafter connect you FG firewall ASA port ( configured as access vlan Y) and thereafter create ACL to allow traffic to the FW firewall.
We need to create an identity static NAT for FG FW IP as well.
static (dmz,outside) 20.20.20.x 20.20.20.x 255.255.255.0
where 20.20.20.x is the FG FW IP
Thanks,
Prashant Joshi
10-24-2014 09:12 AM
Prashant, this makes sense. The vendor will be shipping the VPN box out next week so if all goes well I will update your answer as Correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide