Cisco ASA 5505 - SOHO Setup

RS_MCP

Hi All,

I have an ADSL Router with 1* Static WAN IP.

I want to place the ASA behind my Router, assign the Outside interface an WAN IP and be able to remotely access and manage the ASA from any public network.

I believe there is a way for me to do this without assigning another WAN IP to my Outside Interface, I heard someone saying something about accessing the ASA on another port?

Can anyone help me achieve this without buying another Public IP?

kalebksp

I'm not sure I understand the question. Just allow SSH to the outside interface (ssh 0.0.0.0 0.0.0.0 outside). Why would you need a second IP?

burbankmarc

Port forward the ports you want to use for the ASA. I believe the ASDM uses port 444

Something along these lines:

(config)#ip nat inside source static tcp 1.1.1.1 444 int f0/0 444

tiersten

Why do you want the ability to access and manage your ASA from any public network though? :P

RS_MCP

I need to have the ASA available on the outside because I want to establish an IP Sec Site-to-Site tunnel with another ASA.

So when peering the devices can I just point the tunnel to the static IP on my router that sits in front of the ASA?

How can I bring the Outside Interface up without assigning it an WAN (Public IP)?

kalebksp

I completely missed that you had a router in front of the ASA, so disregard what I said. Though if you can set your DSL router into some sort of bridge/pass-through mode it could work.

RS_MCP

Without changing any settings on the Router, can I not just configure some NAT settings or Port Forwarding settings on the ASA?

burbankmarc

RS_MCP wrote: »

Without changing any settings on the Router, can I not just configure some NAT settings or Port Forwarding settings on the ASA?

If what you want is to setup a site-to-site VPN, then yes. You can do this without touching your routers config.

Check this link:

PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example - Cisco Systems

RS_MCP

Thank you for sending the link. This makes sense to me.

However, I want to assign an Public IP Address to the Outside Interface of my ASA.

The problem is, I only have 1* Static IP already assigned to my Router, my ASA will sit behind my Router, so in order to establish an IP Sec Site-to-Site Tunnel using the ASA, I need an WAN IP for a peer to peer connection. I cant use the WAN IP of my Router!

How can I avoid this and still make my ASA available on the outside?

burbankmarc

Is this the problem at both sites? Or does one of your sites ASA have a public address?

That link is for if only 1 side of the tunnel has a public IP and the other works through NAT.

rwwest7

When running the firewall wizard from the ASDM one of the choices is "allow access to ASDM from outside". I'd say just run the wizard, preview the commands but don't apply. Dig through the previewed commands for the part you're looking for.

Edit: I misread and am way off topic, apologies.

kalebksp

RS_MCP wrote: »

However, I want to assign an Public IP Address to the Outside Interface of my ASA.

The problem is, I only have 1* Static IP already assigned to my Router, my ASA will sit behind my Router, so in order to establish an IP Sec Site-to-Site Tunnel using the ASA, I need an WAN IP for a peer to peer connection. I cant use the WAN IP of my Router!

Without making any changes on your router you won't be able to access the ASA from the outside.

If your ASA will be initiating the VPN connection it should be able to do so from behind the router through NAT. If the remote side needs to be able to initiate the connection you this won't work, however you could forward the necessary ports on the router to the ASA so that the router and ASA share the same public IP.

The only other option I can see would be to purchase another static IP and use static NAT on the router to allow the ASA to be accessed through it. This may not work depending on how your ISP assigns static IPs, it doesn't work with mine because they assign statics through DHCP and can't have the same MAC address for two static IPs.

RS_MCP

kalebksp wrote: »

Without making any changes on your router you won't be able to access the ASA from the outside.

If your ASA will be initiating the VPN connection it should be able to do so from behind the router through NAT. If the remote side needs to be able to initiate the connection you this won't work, however you could forward the necessary ports on the router to the ASA so that the router and ASA share the same public IP.

The only other option I can see would be to purchase another static IP and use static NAT on the router to allow the ASA to be accessed through it. This may not work depending on how your ISP assigns static IPs, it doesn't work with mine because they assign statics through DHCP and can't have the same MAC address for two static IPs.

"however you could forward the necessary ports on the router to the ASA so that the router and ASA share the same public IP"

I believe this method is IP Unnumbered?

How can I do this?

RS_MCP

Any update guys?

burbankmarc

What you are looking for is not IP unnumbered. You can only borrow the IP on the same device. You, however, want to borrow the address to your ASA.

What you need to look into is basic Port Forwarding. Forward the IPSEC/ISAKMP ports to your ASA and you should be able to establish a tunnel.

Is your network config like this:

ASA----router-----INTERNET-----ASA

If the above is how your network is configured then the dynamic VPN through NAT will work fine.

RS_MCP

burbankmarc wrote: »

What you are looking for is not IP unnumbered. You can only borrow the IP on the same device. You, however, want to borrow the address to your ASA.

What you need to look into is basic Port Forwarding. Forward the IPSEC/ISAKMP ports to your ASA and you should be able to establish a tunnel.

Is your network config like this:

ASA----router-----INTERNET-----ASA

If the above is how your network is configured then the dynamic VPN through NAT will work fine.

Yes!

ASA > Router > Internet > ASA

Ok, so if I forward the IPSEC/ISAKMP Ports to my ASA which will be uplinked via Ethernet, Shall my ASA be available on the Outside?

RS_MCP

RS_MCP wrote: »

Yes!

ASA > Router > Internet > ASA

Ok, so if I forward the IPSEC/ISAKMP Ports to my ASA which will be uplinked via Ethernet, Shall my ASA be available on the Outside?

I have an Netgear DG834GT, I dont think this even supports IPSec?

kalebksp

Forward UDP 500 and 4500 to the ASA. Since you said that you want to be able to manage it from the outside you may want to forward TCP 22 as well, although once you have a VPN established you should be able manage it through the VPN without a port forward.

burbankmarc

I agree with kaleb, just forward ISAKMP, then manage it through the VPN. There's no reason to leave it open to the whole world.

RS_MCP

Ok Guys, let me give it a shot and I will keep you guys updated!

All your help is much appreciated...

TesseracT

Just for curiousity's sake, what's the point of having your router face the internet instead of the ASA. Is it doing some funky routing or something that the ASA can't do?

johnwest43

i have a similar setup at home, i just put the ISP device into bridge mode. Then your asa has a public IP on the outside interface.

ConstantlyLearning

RS_MCP wrote: »

Ok Guys, let me give it a shot and I will keep you guys updated!

All your help is much appreciated...

Did you get this working?

I currently have it set the same as johnwest43, SOHO gateway in bridge mode, ASA outside interface gets assigned the public address. Happy days.

However, I'd like to set it up the way you're attemping.

I created a subnet between the SOHO gateway and ASA.
Added a route on the SOHO gateway to reach the inside network of ASA by going towards the IP address of ASA's outside interface.
Added a default route on the ASA pointing towards the IP address of the SOHO gateway's inside interface.
Port forwarded 500 and 4500 on the SOHO gateway to the IP address of the ASA's outside interface.

Negotiations break down during phase 1.

I'll hopefully put some debug output up tomorrow.