Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
15
Helpful
8
Replies

IPSEC Peer addresses to be used if NATTED IP?

CiscoBrownBelt
Level 6
Level 6

‎01-14-2021 11:59 AM

Let say you are building IPSEC I dont know lets say Ikev1 between 2 ASAs at different locations, which sit behind a router that is PATTING or NATTING all traffic. 

If the tunnel is using the Outside interfaces of both ASAs as the peer addresses (lets say Site 1 ASA Outside interface is 10.0.0.1 and the other is 172.16.0.1), and so Site 1 router is natting the ASA it to 100.1.1.1 and Site 2 router is natting that ASA to 200.1.1.1, I would still enter the original private IPs for the ASAs as the peer in my crypto configs correct or no?

0 Helpful
8 Replies 8

Georg Pauwen
VIP
VIP

‎01-14-2021 12:27 PM

Hello,

 

--> If the tunnel is using the Outside interfaces of both ASAs as the peer addresses

 

You mean the tunnel use 'ip unnumbered' ?

 

Either way, the peer addresses are always the public IP addresses, on both sides.

CiscoBrownBelt
Level 6
Level 6
In response to Georg Pauwen

‎01-14-2021 01:55 PM - edited ‎01-14-2021 01:56 PM

Correct tunnels are using Outside IP address of both ASAs - no ipunumbered configs.

Ok so you mean still use the NATTED public IP correct?

0 Helpful

MHM Cisco World
VIP
VIP

‎01-14-2021 09:25 PM

friend
IPSec Peer use public IP
router NAT public IP to private IP
if you use IKEv1 
use PSK address private not public 

CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎01-16-2021 10:37 AM

Ok so you mean in addition to PAT that is done on the router for all internal private IP addresses, create an additional NAT statement to map the public IP (which is used for all internal devices going to the internet) to the ASA private IP?

 

Yes this is IKEv1, not sure what you are referring to when you say "use PSK address private not public "?

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-16-2021 01:20 PM

ASA use outside private IP

router will NAT this private IP to public IP "which can reachable from other IPSec Peer"
here need static PAT UDP port 

when config IPSec IKEv1 in ASA PSK must config with Private IP "which is IP of ASA outside" not Public IP "public IP router use in NAT"

0 Helpful

Karsten Iwen
VIP
VIP

‎01-15-2021 12:54 AM

Both the peer and the address of the PSK needs to be the public IP, the one the VPN-device "sees" on the IP header. Depending on the platform and configuration you need to adjust the IKE identity to match this public IP.

0 Helpful

CiscoBrownBelt
Level 6
Level 6
In response to Karsten Iwen

‎01-16-2021 10:41 AM - edited ‎01-19-2021 12:54 PM

I am not sure what you mean the PSK needs to be the public IP, you are referring to IKEv2 correct - I am using IKEv1?

 

tunnel-group (Public IP) ipsec-attributes
ikev1 pre-shared-key cisco123

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to CiscoBrownBelt

‎01-19-2021 02:34 PM

It is independent of IKEv1 or IKEv2. For both you use the public IP of the peer. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card