How to configure a Cisco ASA behind PA2050 with public IP

Showing results for 
Search instead for 
Did you mean: 

How to configure a Cisco ASA behind PA2050 with public IP

Not applicable


I'm trying to figure out how to configure our PA2050 to point one of our public IPs in a /25 block to a Cisco ASA 5510 behind it. We're using both the PA's SSL VPN and the ASA's SSL VPN so I'd like to plug the ASA into port 2 on the PA2050 and allow it to be accessed directly via one of those public IPs.

Our upstream provider's equipment is x.x.x.1/25, interface 1 on the PA2050 is x.x.x.2/25, and I want to set up the ASA as x.x.x.125/25. Our upstream link comes directly into interface 1 of the PA2050 and I'd prefer NOT to put a switch in between them or something similar. How would I accomplish this? We've got plenty of NAT mappings working properly for various public IPs to internal RFC1918 addresses, but I'm a bit lost here.

Any pointers are appreciated, thanks in advance!


L4 Transporter

Have you considered running the ASA and the Paloalto in parallel? If you really want the ASA traffic inspected by the PA as well, you could put a vwire in front of the Cisco and then run the Cisco in parallel with the PA.

To avoid the need for a switch you could do a "one to one" nat on the WAN side of the PA to an IP on another interface that leads to the ASA. To do this build the NAT rule from the trusted side towards the internet and select the "bi-directional" option.

Steve Krall

I do want the PA to do all the traffic inspection in this case, the ASA is *only* there as a Cisco VPN endpoint.

If I were to do the 1-to-1 NAT method, I'm not understanding how to handle the interface addresses. What address would I be setting on interface 2 of the PA2050 if I plug the ASA into that one, given that the ASA should answer to x.x.x.125/25?


is the Cisco VPN encrypting ALL of the traffic with SSL? Or is it using IPSEC as well? You have to remember that the Palo Alto Device can decrypt the SSL traffc, but not IPSEC.


Actually, I've misread/misunderstood what the responses were asking, sorry! I don't want to do traffic inspection, I just want the PA to do all the filtering for VPN users connecting to the ASA. Sorry for the confusion. For what it's worth, though, I'm only doing SSL VPN, no IPSEC.

libr, if the external interface of the ASA must have a public IP address then configuring two interfaces on your 2050 for VWire seems to be your best option.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!