+ Reply to Thread
Results 1 to 23 of 23
  1. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #1

    Default Cisco ASA 5505 - SOHO Setup

    Hi All,

    I have an ADSL Router with 1* Static WAN IP.

    I want to place the ASA behind my Router, assign the Outside interface an WAN IP and be able to remotely access and manage the ASA from any public network.

    I believe there is a way for me to do this without assigning another WAN IP to my Outside Interface, I heard someone saying something about accessing the ASA on another port?

    Can anyone help me achieve this without buying another Public IP?

    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Oct 2005
    Posts
    1,030

    Certifications
    CCNP (R&S/Voice), CCDP, CCIP, VCP, NCDA, MCSE, CCNA Security
    #2
    I'm not sure I understand the question. Just allow SSH to the outside interface (ssh 0.0.0.0 0.0.0.0 outside). Why would you need a second IP?
    Reply With Quote Quote  

  4. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #3
    Port forward the ports you want to use for the ASA. I believe the ASDM uses port 444

    Something along these lines:

    (config)#ip nat inside source static tcp 1.1.1.1 444 int f0/0 444
    Reply With Quote Quote  

  5. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #4
    Why do you want the ability to access and manage your ASA from any public network though? :P
    Reply With Quote Quote  

  6. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #5
    I need to have the ASA available on the outside because I want to establish an IP Sec Site-to-Site tunnel with another ASA.

    So when peering the devices can I just point the tunnel to the static IP on my router that sits in front of the ASA?

    How can I bring the Outside Interface up without assigning it an WAN (Public IP)?
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Oct 2005
    Posts
    1,030

    Certifications
    CCNP (R&S/Voice), CCDP, CCIP, VCP, NCDA, MCSE, CCNA Security
    #6
    I completely missed that you had a router in front of the ASA, so disregard what I said. Though if you can set your DSL router into some sort of bridge/pass-through mode it could work.
    Reply With Quote Quote  

  8. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #7
    Without changing any settings on the Router, can I not just configure some NAT settings or Port Forwarding settings on the ASA?
    Reply With Quote Quote  

  9. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #8
    Quote Originally Posted by RS_MCP View Post
    Without changing any settings on the Router, can I not just configure some NAT settings or Port Forwarding settings on the ASA?
    If what you want is to setup a site-to-site VPN, then yes. You can do this without touching your routers config.

    Check this link:

    PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example - Cisco Systems
    Reply With Quote Quote  

  10. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #9
    Thank you for sending the link. This makes sense to me.

    However, I want to assign an Public IP Address to the Outside Interface of my ASA.

    The problem is, I only have 1* Static IP already assigned to my Router, my ASA will sit behind my Router, so in order to establish an IP Sec Site-to-Site Tunnel using the ASA, I need an WAN IP for a peer to peer connection. I cant use the WAN IP of my Router!

    How can I avoid this and still make my ASA available on the outside?
    Reply With Quote Quote  

  11. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #10
    Is this the problem at both sites? Or does one of your sites ASA have a public address?

    That link is for if only 1 side of the tunnel has a public IP and the other works through NAT.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #11
    When running the firewall wizard from the ASDM one of the choices is "allow access to ASDM from outside". I'd say just run the wizard, preview the commands but don't apply. Dig through the previewed commands for the part you're looking for.

    Edit: I misread and am way off topic, apologies.
    Last edited by rwwest7; 06-18-2010 at 05:00 PM.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Oct 2005
    Posts
    1,030

    Certifications
    CCNP (R&S/Voice), CCDP, CCIP, VCP, NCDA, MCSE, CCNA Security
    #12
    Quote Originally Posted by RS_MCP View Post
    However, I want to assign an Public IP Address to the Outside Interface of my ASA.

    The problem is, I only have 1* Static IP already assigned to my Router, my ASA will sit behind my Router, so in order to establish an IP Sec Site-to-Site Tunnel using the ASA, I need an WAN IP for a peer to peer connection. I cant use the WAN IP of my Router!
    Without making any changes on your router you won't be able to access the ASA from the outside.

    If your ASA will be initiating the VPN connection it should be able to do so from behind the router through NAT. If the remote side needs to be able to initiate the connection you this won't work, however you could forward the necessary ports on the router to the ASA so that the router and ASA share the same public IP.

    The only other option I can see would be to purchase another static IP and use static NAT on the router to allow the ASA to be accessed through it. This may not work depending on how your ISP assigns static IPs, it doesn't work with mine because they assign statics through DHCP and can't have the same MAC address for two static IPs.
    Reply With Quote Quote  

  14. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #13
    Quote Originally Posted by kalebksp View Post
    Without making any changes on your router you won't be able to access the ASA from the outside.

    If your ASA will be initiating the VPN connection it should be able to do so from behind the router through NAT. If the remote side needs to be able to initiate the connection you this won't work, however you could forward the necessary ports on the router to the ASA so that the router and ASA share the same public IP.

    The only other option I can see would be to purchase another static IP and use static NAT on the router to allow the ASA to be accessed through it. This may not work depending on how your ISP assigns static IPs, it doesn't work with mine because they assign statics through DHCP and can't have the same MAC address for two static IPs.
    "however you could forward the necessary ports on the router to the ASA so that the router and ASA share the same public IP"

    I believe this method is IP Unnumbered?

    How can I do this?
    Reply With Quote Quote  

  15. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #14
    Any update guys?
    Reply With Quote Quote  

  16. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #15
    What you are looking for is not IP unnumbered. You can only borrow the IP on the same device. You, however, want to borrow the address to your ASA.

    What you need to look into is basic Port Forwarding. Forward the IPSEC/ISAKMP ports to your ASA and you should be able to establish a tunnel.

    Is your network config like this:

    Code:
    ASA----router-----INTERNET-----ASA
    If the above is how your network is configured then the dynamic VPN through NAT will work fine.
    Reply With Quote Quote  

  17. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #16
    Quote Originally Posted by burbankmarc View Post
    What you are looking for is not IP unnumbered. You can only borrow the IP on the same device. You, however, want to borrow the address to your ASA.

    What you need to look into is basic Port Forwarding. Forward the IPSEC/ISAKMP ports to your ASA and you should be able to establish a tunnel.

    Is your network config like this:

    Code:
    ASA----router-----INTERNET-----ASA
    If the above is how your network is configured then the dynamic VPN through NAT will work fine.
    Yes!

    ASA > Router > Internet > ASA

    Ok, so if I forward the IPSEC/ISAKMP Ports to my ASA which will be uplinked via Ethernet, Shall my ASA be available on the Outside?
    Reply With Quote Quote  

  18. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #17
    Quote Originally Posted by RS_MCP View Post
    Yes!

    ASA > Router > Internet > ASA

    Ok, so if I forward the IPSEC/ISAKMP Ports to my ASA which will be uplinked via Ethernet, Shall my ASA be available on the Outside?
    I have an Netgear DG834GT, I dont think this even supports IPSec?
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Oct 2005
    Posts
    1,030

    Certifications
    CCNP (R&S/Voice), CCDP, CCIP, VCP, NCDA, MCSE, CCNA Security
    #18
    Forward UDP 500 and 4500 to the ASA. Since you said that you want to be able to manage it from the outside you may want to forward TCP 22 as well, although once you have a VPN established you should be able manage it through the VPN without a port forward.
    Reply With Quote Quote  

  20. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #19
    I agree with kaleb, just forward ISAKMP, then manage it through the VPN. There's no reason to leave it open to the whole world.
    Reply With Quote Quote  

  21. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #20
    Ok Guys, let me give it a shot and I will keep you guys updated!

    All your help is much appreciated...
    Reply With Quote Quote  

  22. Surprised Badger TesseracT's Avatar
    Join Date
    Jul 2010
    Posts
    166

    Certifications
    BSc, CCNP, MCSA, MCTS Exchange. CCIE Written
    #21
    Just for curiousity's sake, what's the point of having your router face the internet instead of the ASA. Is it doing some funky routing or something that the ASA can't do?
    Reply With Quote Quote  

  23. I'd rather be fly fishing johnwest43's Avatar
    Join Date
    Dec 2009
    Location
    Grand Blanc, MI
    Posts
    295

    Certifications
    CCNP, CCNA: Voice, Network+, A+
    #22
    i have a similar setup at home, i just put the ISP device into bridge mode. Then your asa has a public IP on the outside interface.
    Reply With Quote Quote  

  24. Senior Member ConstantlyLearning's Avatar
    Join Date
    Dec 2006
    Location
    Dublin, Ireland
    Posts
    444

    Certifications
    JNCIA-JunOS, CCNP, CCNA-Security, CCNA, CCENT, CWNA, JNCIA-FWV, Security+, Network+, A+, MCP, MCSA, ITIL Foundation V3
    #23
    Quote Originally Posted by RS_MCP View Post
    Ok Guys, let me give it a shot and I will keep you guys updated!

    All your help is much appreciated...
    Did you get this working?

    I currently have it set the same as johnwest43, SOHO gateway in bridge mode, ASA outside interface gets assigned the public address. Happy days.

    However, I'd like to set it up the way you're attemping.

    I created a subnet between the SOHO gateway and ASA.
    Added a route on the SOHO gateway to reach the inside network of ASA by going towards the IP address of ASA's outside interface.
    Added a default route on the ASA pointing towards the IP address of the SOHO gateway's inside interface.
    Port forwarded 500 and 4500 on the SOHO gateway to the IP address of the ASA's outside interface.

    Negotiations break down during phase 1.

    I'll hopefully put some debug output up tomorrow.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks