3

Sorry for the noob question, I haven't done this in years...

I have a Cisco ASA with a working VPN, which I set up like five years ago, and I would like to forward http through to an internal IP address. The concern is: the only way I have to get to the ASA is via the VPN, and I'm not near the device, so losing connectivity isn't an option. I've been reading up on it, since I've forgotten, and it seems that I basically need to:

  1. set up nat source for int and ext IPs
  2. enable nat inside
  3. enable nat outside

Sound about right so far? I will need to do this twice, for two set of IPs (int and ext). Is it doable to enable NAT without breaking my connection? Will the typical way of doing it work fine?

Josh
  • 337
  • 2
  • 10

1 Answers1

3

Yes, this is possible without killing your IPSec or SSL VPN tunnel. I just did something similar a few minutes ago.

Will you be doing this via the ASDM GUI interface or just the CLI? Are there no NAT entries in the system at the moment?

I prefer the ASDM in situations where there isn't a framework in place... But yes, you'll need the nat (inside,outside) static entries... and an access-list for the internal IP address in question.

Are we assuming you'll give a dedicated IP to the host? The setup for portmapping (using the ASA's IP) will be different.

Also, the ASA software version is a consideration. Version 8.2 treats NAT slightly different than 8.3 and above..

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • It's an IPsec VPN, via CLI, and ASA version 7.2 (yeah). The internal hosts (VMs) have static IPs, running Unix, and I'll bind an additional IP for each one if I need more, so it could be a 1:1 IP-to-IP sort of mapping. This is what makes me think static NAT would make sense. It looks like this is close to what I need to do: static (outside,inside) 10.x.x.x 1.2.3.4 netmask 255.255.255.255 – Josh Jul 25 '12 at 22:33
  • Either way, make sure you can keep a connection to another host in the network available... but using the existing entries as a template, you shouldn't lose your connection. – ewwhite Jul 25 '12 at 22:39
  • 1
    Well I added the NAT lines, but it doesn't work. I think because the additional IPs are on a second subnet, and the ASA doesn't have an IP on that subnet (though I added a route to the gw and can ping the gw). I haven't figured out how to add another IP to the vlan interface yet... – Josh Jul 25 '12 at 23:18
  • Apparently my ASA can't do multiple IPs on one interface, so this is all moot. It would have been nice if I could use the extra subnet with this router, but I ended up stringing another cable and making a switchport on the ASA...ugh. Thanks for the reply! – Josh Jul 28 '12 at 00:53
  • You would need to post the config for anyone to be able to help in a reasonable manner. – ewwhite Jul 28 '12 at 13:04