08-15-2007 06:36 AM - edited 03-11-2019 03:58 AM
Hi,
I have a VPN 3015 used for WEBVPN connections, and an ASA 5540 used for IPSEC connections.
I use the same public IP address for both.
The VPN 3015 and the ASA 5540 are behind a PIX 525, on a DMZ.
I have done this on the PIX 525:
static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0
static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0
static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0
It works fine for the webvpn connections to the vpn3015, and it works fine for the ipsec connections to the ASA 5540 but only for IPSEC over TCP, but not for IPSEC over UDP
I think the problem is the ESP protocol.
any help?
Thanks
08-15-2007 06:53 AM
You need to forward IP protocol 50 (ESP) and UDP 500 (ISAKMP).
08-15-2007 07:47 AM
Hi,
yes I know this, but how can I add the protocol ESP in the static command????
08-16-2007 04:52 AM
No CCIE security or CCSP guy can help me??
08-16-2007 05:00 AM
Hi
Not CCIE security or CCSP but i don't think you can do this. port forwarding only works on TCP and UDP ports because in effect ESP does not have a port number at all but a protocol number.
So unless you can do a static statement where you don't define TCP/UDP ports i don't think this will work.
Do you not have any spare public IP addresses ?
Jon
08-16-2007 07:19 AM
have you tried inbound acl in asa pointing to public_address allowing esp-50 and ah-51, give that a try and test.
08-16-2007 08:05 AM
Hi,
The ASA 5540 is in a DMZ behind a PIX 525, and I added the acl to permit isakmp and esp.
on the PIX 525, I added the following commands:
static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0
static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0
It works fine for https and ipsec over ipsec, for ipsec over udp the vpn client can connect and cant do anythings (like ping or others), when I add on the PIX teh command:
static (DMZ,outside)public_addresslocal_address_for_ASA5540 netmask 255.255.255.255 0 0
it works now for ipsec over udp, for ipsec over tcp, but not for the https (it works only if I do the clear xlate I used first webvpn), and if there is another vpn client with ipsec over udp, it works for ipsec over udp but not for the new webvpn connection.
08-16-2007 08:52 AM
You need to use static one to one NAT entry for ASA and punch the necessary holes in the outside ACL for the traffic. You can still use static PAT for VPN3K but you could also use a separate static one to one if you want.
08-16-2007 08:58 AM
You need 2 public addresses.
08-16-2007 09:01 AM
exactly what I said about static one to one NAT entries, obviously different IP's from pix outside interface
08-16-2007 09:20 AM
The easy solution is to use two public addresses, but the problem is that I want my clieusers to use only one DNS public name for both webvpn and IPSEC connections.
The reason I oo not use the ASA 5540 for both webvpn and IPsec connections, is that the ASA 5540 has not a licence for Webvpn, it is why I use the VPN 3015 for Webvpn.
08-16-2007 09:22 AM
Like the other person already stated you can't PAT ESP
08-17-2007 07:45 AM
I know that we can put ASA 5540 and VPN Concentrator in VPN Load balancing.
If I do this, can the VPN cluster tells that this is a webvpn connection and thus it gives it to the VPN concentrator 3015, and this is IPSEC Connection and it gives it to the ASA 5540???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide