Connect with us

VPN

How to set up Cisco ASA NAT 5516-X as DMZ VPN

Dominik

Published

on

Setting up a Cisco ASA NAT 5516-X as a virtual private network in a demilitarized zone shouldn’t be much more difficult than configuring any other provisionally allowed connection in a similar environment. So long as your firmware is any newer than ancient, you should be able set up this behavior irrespective of network complexity (i.e., whether your target hosts are even inside a DMZ).

Why allow a VPN in a DMZ at all?

Short for Adaptive Security Appliance, the Cisco ASA series consists of hardware meant to separate a private network from the Internet. Meaning it delivers a firewall first and foremost. Don’t let this part confuse you; while a product like the Cisco ASA NAT 5516-X isn’t exactly advertised as a solution for private network virtualization, it’s fully compatible with VPN use cases.

That’s especially true with a DMZ in the mix, though you might simply want the extra security benefits of a VPN. Either way, there are things that need to happen before you can start thinking about rerouted connections.

Hold your VPNs: updating the ASA NAT 5516-X

As with most network buildouts, there are many ways to accomplish basic VPN functionality while working with physical firewalls. Note that these instructions should apply to all products from the ASA 5500-X series. With that said, the example configuration will use the ASA NAT 5516-X because it’s a popular choice among VPN power users who also happen to be Cisco customers.

Keep in mind that this is not a comprehensive tutorial on how to get started with advanced network system administration. We’ll revise the basics just in case it’s highly recommended have them figured out beforehand. Not least because ensuring that your ASA NAT 5516-X unit is running the latest firmware is part of that challenge – you’re risking major connectivity issues otherwise.

And if for any bizarre reason your system happens to be using a truly ancient OS, DMZ VPN features won’t work at all. Though that hopefully won’t be an issue as we’re talking about pre-8.3 ASA firmware, which is nearly half a decade old, at this point.

Either way, proceed by confirming the basic firewall functionality of your ASA NAT 5516-X is working as intended. Meaning that your DMZ has Internet connectivity and your private network is actually private. If you were already running a robust live network, go over the infrastructure and make a note of any atypical device configurations. Primarily because if your system is already barely held together by unidentified cables, duct tape, and prayers, adding VPN-related instructions might just be what pushes it over the edge. Also, accounting for every use case is impossible, so our example scenario will include a pretty vanilla setup with near-factory settings.

RA VPN licensing requirements

You don’t have to authorize the necessary license purchases before moving on to the technical stuff. If you have a registered Cisco Smart Software Manager account, licensing red tape should hence not cause any DMZ VPN deployment delays.

As of this writing, Cisco’s Remote Access (RA) VPN service is bundled with AnyConnect Apex, AnyConnect Plus, and AnyConnect VPN Only licenses. In order to maximize the interoperability potential between the ASA NAT 5516-X and a DMZ VPN, you’ll also need to be eligible for the Strong Encryption (3DES/AES) license. Due to the way virtual private networks work, a bulletproof encryption standard is of paramount importance in any scenario.

If you’re eligible, the Strong Encryption (3DES/AES) license should be activated automatically on the ASA NAT 5516-X. Eligibility pretty much solely depends on whether the U.S. government allows Cisco to sell military-grade tech to (companies headquartered in) your country. And yes, very large numbers qualify as both “military-grade tech” and “fitting ways to describe what AES is”.

How to set up the ASA NAT 5516-X as a VPN in a DMZ

The kind of VPN functionality we’re working to achieve here is twofold. It consists of allowing rerouted inbound connections to a specific DMZ server and greenlighting outbound connections to the World Wide Web from rerouted DMZ hosts.

Best practices say to start with the letter. After all, your DMZ users will need to have their private IP addresses translated into something discernible by the wider TCP/IP net since even fully functional inbound connections would be one-way otherwise. This would be the external IP address associated with your ASA NAT 5516-X system, in case you want to do things manually. But if your setup includes a DHCP or your public IP is dynamic for any other reason, the easiest course of action is calling upon AutoNAT, aka Object NAT.

In any case, the Adaptive Security Device Manager (ASDM) app should do the trick. In an elementary ASA NAT setup consisting of three interfaces interlinked with three network segments, the first part of your configuration should resemble the following:

object network inside-subnet
 subnet 192.168.0.0 XXX.XXX.XXX.X
 nat (inside,outside) dynamic interface
!
object network dmz-subnet
 subnet 192.168.1.0 XXX.XXX.XXX.X
 nat (dmz,outside) dynamic interface

This NAT rule will automatically translate local IP addresses to your system-wide public identifier. If you take a closer look at the parameters, you’ll see that we have greenlit outgoing requests from both DMZ and internal hosts.

Now repeat that procedure to allow Internet hosts to access one or more of your internal servers. Keep in mind that there’s a difference between allowing two-way communications and accepting two-way communications requests. The latter will only be possible if your DMZ is unrestricted. Otherwise, the ASA NAT 5516-X can only support truly bi-directional communications for one object (either inside-dmz or outside-dmz).

Ultimately, you’ll always have to manually exempt DMZ-to-VPN traffic or all of your work up to this point will have been for nothing. Without explicitly allowing such connections in a compatible setup, the ASA NAT 5516-X will always default to a PAT override based on a superseding identity ruleset that’s guaranteed to exist if your pre-VPN network was ever operational.