cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
15
Helpful
8
Replies

IPSEC Peer addresses to be used if NATTED IP?

CiscoBrownBelt
Level 6
Level 6

Let say you are building IPSEC I dont know lets say Ikev1 between 2 ASAs at different locations, which sit behind a router that is PATTING or NATTING all traffic. 

If the tunnel is using the Outside interfaces of both ASAs as the peer addresses (lets say Site 1 ASA Outside interface is 10.0.0.1 and the other is 172.16.0.1), and so Site 1 router is natting the ASA it to 100.1.1.1 and Site 2 router is natting that ASA to 200.1.1.1, I would still enter the original private IPs for the ASAs as the peer in my crypto configs correct or no?

8 Replies 8

Hello,

 

--> If the tunnel is using the Outside interfaces of both ASAs as the peer addresses

 

You mean the tunnel use 'ip unnumbered' ?

 

Either way, the peer addresses are always the public IP addresses, on both sides.

Correct tunnels are using Outside IP address of both ASAs - no ipunumbered configs.

Ok so you mean still use the NATTED public IP correct?

friend
IPSec Peer use public IP
router NAT public IP to private IP
if you use IKEv1 
use PSK address private not public 

Ok so you mean in addition to PAT that is done on the router for all internal private IP addresses, create an additional NAT statement to map the public IP (which is used for all internal devices going to the internet) to the ASA private IP?

 

Yes this is IKEv1, not sure what you are referring to when you say "use PSK address private not public "?

ASA use outside private IP

router will NAT this private IP to public IP "which can reachable from other IPSec Peer"
here need static PAT UDP port 

when config IPSec IKEv1 in ASA PSK must config with Private IP "which is IP of ASA outside" not Public IP "public IP router use in NAT"

Both the peer and the address of the PSK needs to be the public IP, the one the VPN-device "sees" on the IP header. Depending on the platform and configuration you need to adjust the IKE identity to match this public IP.

I am not sure what you mean the PSK needs to be the public IP, you are referring to IKEv2 correct - I am using IKEv1?

 

tunnel-group (Public IP) ipsec-attributes
ikev1 pre-shared-key cisco123

 

It is independent of IKEv1 or IKEv2. For both you use the public IP of the peer. 

Review Cisco Networking for a $25 gift card