Sorry for the noob question, I haven't done this in years...
I have a Cisco ASA with a working VPN, which I set up like five years ago, and I would like to forward http through to an internal IP address. The concern is: the only way I have to get to the ASA is via the VPN, and I'm not near the device, so losing connectivity isn't an option. I've been reading up on it, since I've forgotten, and it seems that I basically need to:
- set up nat source for int and ext IPs
- enable nat inside
- enable nat outside
Sound about right so far? I will need to do this twice, for two set of IPs (int and ext). Is it doable to enable NAT without breaking my connection? Will the typical way of doing it work fine?
Yes, this is possible without killing your IPSec or SSL VPN tunnel. I just did something similar a few minutes ago.
Will you be doing this via the ASDM GUI interface or just the CLI? Are there no NAT entries in the system at the moment?
I prefer the ASDM in situations where there isn't a framework in place... But yes, you'll need the
nat (inside,outside) staticentries... and anaccess-listfor the internal IP address in question.Are we assuming you'll give a dedicated IP to the host? The setup for portmapping (using the ASA's IP) will be different.
Also, the ASA software version is a consideration. Version 8.2 treats NAT slightly different than 8.3 and above..