topic Re: How to configure a Cisco ASA behind PA2050 with public IP in General Topics

How to configure a Cisco ASA behind PA2050 with public IP

mhoush — Fri, 30 Sep 2011 21:50:21 GMT

Greetings,

I'm trying to figure out how to configure our PA2050 to point one of our public IPs in a /25 block to a Cisco ASA 5510 behind it. We're using both the PA's SSL VPN and the ASA's SSL VPN so I'd like to plug the ASA into port 2 on the PA2050 and allow it to be accessed directly via one of those public IPs.

Our upstream provider's equipment is x.x.x.1/25, interface 1 on the PA2050 is x.x.x.2/25, and I want to set up the ASA as x.x.x.125/25. Our upstream link comes directly into interface 1 of the PA2050 and I'd prefer NOT to put a switch in between them or something similar. How would I accomplish this? We've got plenty of NAT mappings working properly for various public IPs to internal RFC1918 addresses, but I'm a bit lost here.

Any pointers are appreciated, thanks in advance!

Re: How to configure a Cisco ASA behind PA2050 with public IP

skrall — Fri, 30 Sep 2011 23:04:40 GMT

Have you considered running the ASA and the Paloalto in parallel? If you really want the ASA traffic inspected by the PA as well, you could put a vwire in front of the Cisco and then run the Cisco in parallel with the PA.

To avoid the need for a switch you could do a "one to one" nat on the WAN side of the PA to an IP on another interface that leads to the ASA. To do this build the NAT rule from the trusted side towards the internet and select the "bi-directional" option.

Steve Krall

Re: How to configure a Cisco ASA behind PA2050 with public IP

mhoush — Sat, 01 Oct 2011 00:02:19 GMT

I do want the PA to do all the traffic inspection in this case, the ASA is *only* there as a Cisco VPN endpoint.

If I were to do the 1-to-1 NAT method, I'm not understanding how to handle the interface addresses. What address would I be setting on interface 2 of the PA2050 if I plug the ASA into that one, given that the ASA should answer to x.x.x.125/25?

Re: How to configure a Cisco ASA behind PA2050 with public IP

bpappas — Sat, 01 Oct 2011 01:27:52 GMT

@libr:

is the Cisco VPN encrypting ALL of the traffic with SSL? Or is it using IPSEC as well? You have to remember that the Palo Alto Device can decrypt the SSL traffc, but not IPSEC.

-Benjamin

Re: How to configure a Cisco ASA behind PA2050 with public IP

mhoush — Sat, 01 Oct 2011 04:44:25 GMT

Actually, I've misread/misunderstood what the responses were asking, sorry! I don't want to do traffic inspection, I just want the PA to do all the filtering for VPN users connecting to the ASA. Sorry for the confusion. For what it's worth, though, I'm only doing SSL VPN, no IPSEC.

Re: How to configure a Cisco ASA behind PA2050 with public IP

bvandivier — Wed, 02 Nov 2011 12:33:01 GMT

libr, if the external interface of the ASA must have a public IP address then configuring two interfaces on your 2050 for VWire seems to be your best option.