Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN pass thru ASA to a third party box

Our customer has an ASA 5505 Sec Plus connected to their WAN with two networks behind it: the customer's internal network and a vendor-provided and -managed network.  The vendor wants to set up their own Fortigate box to provide VPN access into their network.  They need a WAN IP address for the Fortigate and we plan to assign them an address of 20.20.20.4 (not the real address, of course).  We have free ports on the ASA so I plan to tell the vendor to use port #5. 

 

How do I configure the ASA to pass all traffic destined for 20.20.20.4 to this box with no restrictions? 

 

TIA

6 REPLIES
Cisco Employee

Hi, what subnet do you have

Hi,

 what subnet do you have on your vendor-provided network , I mean private or public.If it is private  then you need to configure  one to one NAT from one of the free ASA routable IP to Fortigate private IP  and allow specific ports needed (4500,500).

If it is routable IP subnet, then you just need to allow specific ports on ASA.

 

Thanks,

Prashant Joshi

 

New Member

The vendor LAN is a private

The vendor LAN is a private 10.x.x.x space.  It will end up behind the Fortigate with the FG as the default gateway for the vendor LAN.  The FG WAN port will take IP address 20.20.20.4 so I want to tell the ASA "anything destined for that WAN address just send it to the Fortigate and let it handle filtering". 

Cisco Employee

Hi,If its the same ISP, you

Hi,

If its the same ISP, you need to configure port #5  of  your ASA 5505 to be in the same outside VLAN (internet connection) and Fortigate will have IP 20.20.20.4  and gateway same as ASA (ISP router)

Vlan30                      10.10.10.10     YES CONFIG up                    up
Vlan20                       20.20.20.2       YES CONFIG up                    up

Vlan30                       inside                   100
Vlan20                       outside                    0

interface Ethernet0/5
 switchport access vlan 20

 

Thanks,

Prashant Joshi

New Member

Prashant,  I apologize, I

Prashant,  I apologize, I should have mentioned this additional information before.  We're working with two ISP IP spaces: one is the aforementioned 20.20.20.x network which is a /27 and is our "usable address space", but there is also a 100.100.100.x/30 network that only contains the ASA outside VLAN interface (.2) and the ISP gateway's interface (.1).  

 

All traffic destined for the 20.20.20.x/27 network arrives on the outside port  -- I confirm this in the ASDM logs.  However, the actual outside VLAN interface address is 100.100.100.2.  I wouldn't be able to put the Fortigate in the outside VLAN, would I? 

Cisco Employee

In that case we need to

In that case we need to configure one more VLAN  Y on the ASA with one of the free IP in 20.x subnet  and thereafter connect you FG firewall ASA port ( configured as access vlan Y) and thereafter create ACL to allow traffic to the FW firewall.

We need to create an identity static NAT  for FG FW IP as well.

static (dmz,outside) 20.20.20.x 20.20.20.x 255.255.255.0

where 20.20.20.x  is the FG FW IP

 

Thanks,

Prashant Joshi

New Member

Prashant, this makes sense. 

Prashant, this makes sense.  The vendor will be shipping the VPN box out next week so if all goes well I will update your answer as Correct.

68
Views
0
Helpful
6
Replies
CreatePlease to create content