topic Vpn clarification in Network Security

Vpn clarification

Shibu1978 — Tue, 12 Mar 2019 03:21:54 GMT

Dears,

I have a query regarding Site to Site VPN setup between a Juniper SRX 3600 and Cisco asa.

We have a Cisco ASA and the client has a Juniper SRX 3600.

Scenario here is our end Cisco ASA outside interface is private ip (10.10.10.10) & Public ip(static one to one) mapping is being done at the perimeter router.

Client side they have direct public configured on the Juniper SRX 3600 with NAT-Trasversal disabled on the corresponding tunnel towards our side.

They have a strict policy to disable NAT-T which they wont enable it.So we have too disable NAT-T here on the tunnel.

The issue here is Phase-1 is coming up but phase 2 i dont see any IPSEC SA.

In this scenario where our ASA behind a NAT device (router) with NAT-T disabled will the site to site vpn works ? Will the tunnel comes up disabling NAT-T?

Any assistance will be helpfull.

Vpn clarification

Shibu1978 — Thu, 26 Dec 2013 19:00:48 GMT

Any response would be highly appreciated thanks

Vpn clarification

Jeet Kumar — Thu, 26 Dec 2013 19:25:05 GMT

HI shibu,

If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.

But it the edge router is doing a PAT than you have no option but to enable the NAT-t on the remote end.

Because NAT-T doesn't work with PAT.

Thanks

Jeet Kumar

Vpn clarification

Shibu1978 — Thu, 26 Dec 2013 19:33:00 GMT

Hi Jeet,

Thanks for your response.

Pl see my response inline.

If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.

Shibu : YES we do one to one NAT.

So you mean site to site vpn works fine with NAT-T disbled at both end.

& One to one NAT configured on the perimeter device for the ASA private IP. pl clarify

Vpn clarification

Shibu1978 — Sat, 28 Dec 2013 11:55:00 GMT

Hi all,

Any update on this? really appreciated

Vpn clarification

zalkurdi — Sat, 28 Dec 2013 13:57:42 GMT

Hello,

A little clarification:

Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.

As for the NATing on the router, you need to add 2 static NAT statements to allow UDP 500 and UDP 4500 packets.

ip nat inside source static udp X.X.X.X 500 interface FastEthernet0/0 500

ip nat inside source static udp X.X.X.X 4500 interface FastEthernet0/0 4500

This is called Port Forwading and will pass any VPN traffic to the ASA.

If you implement static NATing without ports, all traffic going to the public ip of the router will go to the ASA.

If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.

HTH

Zaid Al-Kurdi

Vpn clarification

Shibu1978 — Sat, 28 Dec 2013 15:35:55 GMT

Hello Zaid,

Thanks for your reply .

Here in the Perimeter router we have static nat configured as below . not PAT with port numbers.

ip nat inside source static *.*.*.* *.*.*.*

Q. Why is NAT-T needed?

Shibu : Our ASA is behind a NAT device(Router) & configured static NAT as above. I am bit confused about your statement which tells about PAT.

As Mr.Jeet kumar mentioned above with out NAT-T ESP should work fine with static NAT. Could you pl clarify here?

If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.

Shibu: We cannot make Router as the temination point as this is owned by providers datacentre.

Is there any way we can make the tunnel up with disabling NAT-T on both ends. I am very badly needed a solution for this?

Thanks in advance

Vpn clarification

Shibu1978 — Sat, 28 Dec 2013 17:28:44 GMT

Hi all,

Could someone give me clear clarity on this reqeust? any response would be appreciated.

Thanks

Vpn clarification

Shibu1978 — Sun, 29 Dec 2013 05:41:03 GMT

any response on this would be appreciated. thanks

Vpn clarification

zalkurdi — Mon, 30 Dec 2013 07:33:51 GMT

Hello,

Now if you want to statically map the public IP of the router to the IP of the ASA, that would work.

However, this will make all traffic to that IP, not just VPN, go to the ASA. My suggestion was to allow only VPN traffic through.

This is totally up to you.