Our customer has an ASA 5505 Sec Plus connected to their WAN with two networks behind it: the customer's internal network and a vendor-provided and -managed network. The vendor wants to set up their own Fortigate box to provide VPN access into their network. They need a WAN IP address for the Fortigate and we plan to assign them an address of 18.104.22.168 (not the real address, of course). We have free ports on the ASA so I plan to tell the vendor to use port #5.
How do I configure the ASA to pass all traffic destined for 22.214.171.124 to this box with no restrictions?
what subnet do you have on your vendor-provided network , I mean private or public.If it is private then you need to configure one to one NAT from one of the free ASA routable IP to Fortigate private IP and allow specific ports needed (4500,500).
If it is routable IP subnet, then you just need to allow specific ports on ASA.
The vendor LAN is a private 10.x.x.x space. It will end up behind the Fortigate with the FG as the default gateway for the vendor LAN. The FG WAN port will take IP address 126.96.36.199 so I want to tell the ASA "anything destined for that WAN address just send it to the Fortigate and let it handle filtering".
Prashant, I apologize, I should have mentioned this additional information before. We're working with two ISP IP spaces: one is the aforementioned 20.20.20.x network which is a /27 and is our "usable address space", but there is also a 100.100.100.x/30 network that only contains the ASA outside VLAN interface (.2) and the ISP gateway's interface (.1).
All traffic destined for the 20.20.20.x/27 network arrives on the outside port -- I confirm this in the ASDM logs. However, the actual outside VLAN interface address is 100.100.100.2. I wouldn't be able to put the Fortigate in the outside VLAN, would I?
In that case we need to configure one more VLAN Y on the ASA with one of the free IP in 20.x subnet and thereafter connect you FG firewall ASA port ( configured as access vlan Y) and thereafter create ACL to allow traffic to the FW firewall.
We need to create an identity static NAT for FG FW IP as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :