I have a Peplink 305 with 3 WAN connections. Behind the Peplink I have an existing Cisco ASA firewall. The firewall is doing NAT and all the firewall rules. The Peplink is only for WAN failover.
I’m having a problem setting up port forwarding of inbound IP’s to pass to the LAN segment. I have setup NAT and also inbound rules.
Can someone point me in the right direction to allow different IP’s on different WAN interfaces to pass to the ASA?
Thank you.
Here is a simple layout. I’m not using drop-in mode; should I be? Each of the WAN interfaces have public IP’s that I need to be forwarded to the ASA. Thoughts???
@KCol, you should definitely be using Drop-In mode for this and it will allow you to put a public IP from say WAN1 on the ASA. Then you can just forward traffic from the other two WAN connections to the ASA. Thanks
Ok, so after the drop-in mode is selected I need to create an Inbound server pointing to the outside interface of the ASA and then create Inbound Services for each public IP that I want forwarded. Correct?
You got it, let us know how you make out!
Tim,
I have a Peplink 380 now (100mb interfaces) that I’m replacing. I have created the inbound server and services but it doesn’t work. I’ll try on the 305 after work hours and let you know. Thank you!
Ok. I have the new Peplink 305 in place. WAN 2 is configured for drop-in mode. I am able to browse the Internet from the inside. I created an “Inbound Access Servers” pointing to the outside interface of the ASA. I created an “Inbound Access Services” for Any services listening on all ports (WAN1 and WAN3) and directing it to the server IP created in “Inbound Access Servers”. I am not able to get inbound traffic to be delivered to the ASA.
I found this: How to Configure Inbound Port Forwarding
Do I need to create a secondary IP on the firewall outside interface?
Any one???
A secondary IP on the firewall should not be necessary for this. You have public IPs on both WAN1 and WAN3 and not able to get to the ASA with any ports? Please confirm inbound firewall rules are not blocking this and open a support ticket with us here so we can investigate the issue.
Ron,
I have public IP’s on WAN1 and WAN2 (WAN3 is not yet used). WAN2 is configured for drop-in mode and works. The inbound IP’s on WAN1 do not reach the ASA. I have a DMZ on the ASA that I’m trying to NAT outbound on WAN1. When I do that it will not reach the Internet. When I NAT it using the IP of the ASA outside interface then I can get to the Internet. Inbound firewall rules on the Peplink are default Allow Any Any. My ASA is a Cisco 5512.
Please note for this drop-in mode deployment the ASA will have the public IPs for WAN2 and keep its existing default gateway of the WAN2 ISP router. The Peplink Balance will do the rest.
The ASA has an IP from WAN2 and is using the gateway for WAN2. By it doing the rest do you mean no further configured are necessary or do I still need the NAT mapping?
The ASA only needs to NAT from the WAN2 public IPs to its internal networks and it is not aware of the WAN1 connection.
Ron,
On the Peplink, I have the NAT pointing to my ASA outside interface. I have a WAN1 public IP selected for Inbound and Outbound NAT’ing.
On the ASA:
I have a PC on a DMZ interface.
Access rule and NAT rule with the following:
Not able to browse the web from the DMZ PC. I see a buildup and teardown on the ASA.
I’m sure I’m missing something. Any help is greatly appreciated.
Some more info.
The ASA has proxy arp turned on and listening for non-connected:
This is now solved. I had to create a dual NAT and add a static route to the new NAT on the ASA. It works correctly now. Thank you everyone for the comments.
Bro, I am also facing the same issue with you. Congratulation to you and solved the issue now. Can you might to teach me how to do that step by step? Thanks a lot.
Junpro,
Create a set of IP numbers that you want to use between the Peplink Inside interface and your ASA outside interface; maybe something like 192.168.30.x. On the Peplink create a NAT from your WAN IP to a 192.168.30.x IP. Add a static route on the LAN interface for 192.168.30.x pointing to the IP of the ASA (outside interface). The inbound IP then gets translated from the public IP to the 192.168.30.x IP then gets fowarded to the ASA. Once at the ASA you may have another NAT to translate it into an inside IP and then to its destination. Make sure your ASA is configured to allow non-connected IP’s on the outside interface.
Thanks bro, I will review it and attempt to do.
