ASA WITH PRIVATE ADDRESSING ENDING IPSEC VPN

David Martinez Garcia · ‎05-12-2011

Hi all!

I have a doubt:

I have a Internet router with an public IP address.

Behind the router i have an ASA. The connection between the router and the ASA is a private network. This looks like:

(1.1.1.1)

ROUTER

| (192.168.1.1)

|

| (192.168.1.2)

ASA

|

client network

My question is, can de ASA act as a IPSEC VPN CONCENTRATOR from internet clients?

There are any example?

Thank you!!

barry · ‎05-12-2011

Hi David

Yes you can do this. I've done it many times.

You will obviously need NAT / Port Forwarding on your router so that the ASA becomes reachable on the Internet - and you'll need a minimum of one static public IP Address.

If you've only got one static, then you'll need to configure port forwarding on the router to forward all of the ports / protocols that IPSEC uses - including ESP/AH/UDP 4500/UDP 500, and possible some others. If it's Cisco IPSEC VPN client's you're supporting, I would recommened running this over TCP 10000 as this makes your port forwarding easier.

If you've got more than one static, just dedicate a public IP address to the ASA.

The instructions for doing NAT / Port Forwarding will vary depending on what type of router it is - you'll need to check it's documentation.

On the ASA, nothing particularly needs to be configured - just ensure that "NAT Traversal" is enabled for IPSEC. Your remote VPN end point(s) will also need to support NAT Traversal as well (most modern IPSEC VPN devices do this with no problems, the standard for NAT traversal has been around for years).

HTH. Barry