Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1945
Views
0
Helpful
9
Replies

Vpn clarification

Shibu1978
Level 1
Level 1

‎12-26-2013 10:44 AM - edited ‎03-11-2019 08:21 PM

Dears,

I have a query regarding Site to Site VPN setup between a Juniper SRX 3600 and Cisco asa.

We have a Cisco ASA and the client has a Juniper SRX 3600.

Scenario here is our end Cisco ASA outside interface is private ip (10.10.10.10) & Public ip(static one to one) mapping is being done at the perimeter router.

Client side they have direct public configured on the Juniper SRX 3600 with NAT-Trasversal disabled on the corresponding tunnel towards our side.

They have a strict policy to disable NAT-T which they wont enable it.So we have too disable NAT-T here on the tunnel.

The issue here is Phase-1 is coming up but phase 2 i dont see any IPSEC SA. 

In this scenario where our ASA behind a NAT device (router) with NAT-T disabled will the site to site vpn works ? Will the tunnel comes up disabling NAT-T? 

Any assistance will be helpfull.

Labels:
0 Helpful
9 Replies 9

Shibu1978
Level 1
Level 1

‎12-26-2013 11:00 AM

Any response would be highly appreciated thanks

0 Helpful

Jeet Kumar
Cisco Employee
Cisco Employee
In response to Shibu1978

‎12-26-2013 11:25 AM

HI shibu,

If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.

But it the edge router is doing a PAT than you have no option but to enable the NAT-t on the remote end.

Because NAT-T doesn't work with PAT.

Thanks

Jeet Kumar

0 Helpful

Shibu1978
Level 1
Level 1
In response to Jeet Kumar

‎12-26-2013 11:33 AM

Hi Jeet,

Thanks for your response.

Pl see my response inline.

If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.

Shibu :    YES we do one to one NAT.

So you mean site to site vpn works fine with NAT-T disbled at both end.

&  One to one NAT configured on the perimeter device for the ASA private IP.  pl clarify

0 Helpful

Shibu1978
Level 1
Level 1
In response to Shibu1978

‎12-28-2013 03:55 AM

Hi all,

Any update on this?  really appreciated

0 Helpful

zalkurdi
Cisco Employee
Cisco Employee

‎12-28-2013 05:57 AM

Hello,

A little clarification:

Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.

As for the NATing on the router, you need to add 2 static NAT statements to allow UDP 500 and UDP 4500 packets.

ip nat inside source static udp X.X.X.X 500 interface FastEthernet0/0 500

ip nat inside source static udp X.X.X.X 4500 interface FastEthernet0/0 4500

This is called Port Forwading and will pass any VPN traffic to the ASA.

If you implement static NATing without ports, all traffic going to the public ip of the router will go to the ASA.

If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.

HTH

Zaid Al-Kurdi

0 Helpful

Shibu1978
Level 1
Level 1
In response to zalkurdi

‎12-28-2013 07:35 AM

Hello Zaid,

Thanks for your reply .

Here in the Perimeter router we have static nat configured  as below . not PAT with port numbers.

ip nat inside source static *.*.*.*  *.*.*.*

Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.

Shibu :   Our ASA is behind a NAT device(Router) & configured static NAT as above.   I am bit confused about your statement which tells about PAT

As Mr.Jeet kumar mentioned above with out NAT-T ESP should work fine with static NAT.  Could you pl clarify here?

If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.

Shibu: We cannot make Router as the temination point as this is owned by providers datacentre.

Is there any way we can make the tunnel up with disabling NAT-T on both ends.   I am very badly needed a solution for this?

Thanks in advance

0 Helpful

Shibu1978
Level 1
Level 1
In response to Shibu1978

‎12-28-2013 09:28 AM

Hi all,

Could someone give me clear clarity on this reqeust?  any response would be appreciated.

Thanks

0 Helpful

Shibu1978
Level 1
Level 1
In response to Shibu1978

‎12-28-2013 09:41 PM

any response on this would be appreciated. thanks

0 Helpful

zalkurdi
Cisco Employee
Cisco Employee
In response to Shibu1978

‎12-29-2013 11:33 PM

Hello,

Now if you want to statically map the public IP of the router to the IP of the ASA, that would work.

However, this will make all traffic to that IP, not just VPN, go to the ASA. My suggestion was to allow only VPN traffic through.

This is totally up to you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card