ASA behind Router VPN

Sheraz.Salim · ‎07-31-2017

Hi here is the problem.

Router1 SITE1--------- INTERNET ---------SITE2 ASA------Router2.

wanted to setup a VPN site to site vpn between the ROUTER1 and ROUTER2. however as there is a ASA between. is it possible. do not want to configure a VPN on ASA but wanted to configure a vpn on Router2.

router1

crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 5
crypto isakmp key cisco12345 address 209.165.201.254
crypto ipsec transform-set VPN esp-aes esp-sha512-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 209.165.201.254
set transform-set VPN
match address 100
crypto map VPN

show access-list
Extended IP access list 100
    20 permit udp any any eq non500-isakmp
    30 permit udp any any eq isakmp
    40 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Router2

crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 5
crypto isakmp key cisco12345 address 209.165.200.1
crypto ipsec transform-set VPN esp-aes esp-sha512-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 209.165.200.1
set transform-set VPN
match address 100
crypto map VPN

#show access-lists
Extended IP access list 100
    10 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    20 permit udp any any eq non500-isakmp
    30 permit udp any any eq isakmp

I gave a spare public ip to ROUTER2 what config do i have to make on firewall. what nat. policy nat please hlep

please do not forget to rate.

Aditya Ganjoo · ‎07-31-2017

Hi,

Yes it is possible.

You need to make ASA as a VPN passthrough device.

You need to allow UDP 500,4500 and ESP traffic on the ASA for the two VPN peers.

More info on this link:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/63881-ipsec-pix70-nat.html

Regards,

Aditya

Please rate helpful and mark correct answers

Sheraz.Salim · ‎08-01-2017

Hi the link is too old. i mean they running version 7. where at the moment 9.x. even the nat statement is different.

please do not forget to rate.

Spooster IT Services · ‎08-01-2017

Hi Sherazrose,

See my comment above for sample configuration

Spooster IT Services Team

Spooster IT Services · ‎08-01-2017

Hi sherazrose,

You need to configure one to one NAT for routers public IP and allow traffic from WAN to LAN for these ports and protocols. Let me know the router private IP to help you with the configuration.

Spooster IT Services Team

Sheraz.Salim · ‎08-01-2017

hi what will be the nat statment

nat (inside,outside) source static INTERNAL EXTERNAL

or

nat (inside,outside) static PUBLIC-IPADDRESS

please do not forget to rate.

Spooster IT Services · ‎08-01-2017

Configuration will be like the following:-

object network ROUTER2
host <Private IP of router>
nat (inside,outside) static 209.165.201.254

!

object network ROUTER1
host 209.165.200.1

object-group service VPN-SERVICES udp
port-object eq isakmp
port-object eq 4500
!
access-list outside_access_in extended permit udp object ROUTER1 object ROUTER2 object-group VPN-SERVICES
access-list outside_access_in extended permit esp object ROUTER1 object ROUTER2

Spooster IT Services Team