cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
0
Helpful
1
Replies
Highlighted
Beginner

Site to Site IPSEC behind NAT

I am trying to see if it is possible to create an ipsec vpn tunnel where one side has a public address and the other device has a NAT'd private address.  I have never done this before, but it sounds possible with NAT-T.  Please let me know, here is an example, need the tunnel to connect from Firewall A to Firewall C.  

 

 

1 REPLY 1
Highlighted
Hall of Fame Master

I have not done site to site

I have not done site to site IPsec VPN where one device is using a translated private address where the platform is ASA. But I have done this successfully where the platform was IOS router. It worked just fine on the routers and I can think of no reason why it would not work on ASA.

 

The key thing is that there must be a static address translation for the VPN peer private address. A dynamic translation will not work. And in your example the firewall in the middle must have access policies to permit incoming traffic for ISAKMP (UDP 500 and UDP 4500) and for ESP (IP protocol 50).

 

HTH

 

Rick

HTH

Rick
CreatePlease to create content