Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
0
Helpful
1
Replies

Site to Site IPSEC behind NAT

Bob Boklewski
Level 1
Level 1

‎10-02-2015 01:42 PM - edited ‎03-05-2019 02:26 AM

I am trying to see if it is possible to create an ipsec vpn tunnel where one side has a public address and the other device has a NAT'd private address.  I have never done this before, but it sounds possible with NAT-T.  Please let me know, here is an example, need the tunnel to connect from Firewall A to Firewall C.  

 

 

1 person had this problem
Labels:
Preview file
20 KB
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎10-02-2015 05:40 PM

I have not done site to site IPsec VPN where one device is using a translated private address where the platform is ASA. But I have done this successfully where the platform was IOS router. It worked just fine on the routers and I can think of no reason why it would not work on ASA.

 

The key thing is that there must be a static address translation for the VPN peer private address. A dynamic translation will not work. And in your example the firewall in the middle must have access policies to permit incoming traffic for ISAKMP (UDP 500 and UDP 4500) and for ESP (IP protocol 50).

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card