Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2177
Views
15
Helpful
6
Replies

Using Cisco Client to site VPN on an ASA 5520 behind NAT

Go to solution
trodecke
Level 1
Level 1

‎05-10-2010 01:27 PM

I apologize if this has been asked and answered in the forums.  I searched and while I found a large number of entries that danced all around this particular question,  I never found anything that addressed this specific question.   We are currently Using an ASA 5520 as the head end of a relatively large client to site IPSEC VPN (roughly 240 users, not consecutively).   This ASA is currently sitting behind a Checkpoint firewall with an actual publicly addressable IP address on it's public interface.  All our clients are using the legacy Cisco VPN client (not the anyconnect one).  We are planning on putting a couple of F5 Link Controllers in place between the ISPs and the firewalls.   For VPN connectivity F5 recommends that we NAT the IP address (called a Wide IP) at the F5 and point it back to a private IP address on the ASA.  My question is,  will this work?   I've always heard that the head end needed to have a public IP address on it as that's what will be placed in the packets for the client to talk back to.

For clarification,  here's what we have currently and what we're being asked to go to;

Current

ISP - Router ------  Firewall ------  ASA (public IP address as endpoint)


Proposed

ISP - Router ------  F5 (public IP address as endpoint, NATed to ASA) ------ Firewall ------ ASA (10.X.X.X as it's outside interface)

Alternative Proposed

ISP - Router ------ F5 (Public IP address as endpoint, NATed to ASA) ------ ASA (10.X.X.X as it's outside interface)

Any and all thoughts at this time would be greatly appreciated.   Thanks!

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mopaul
Cisco Employee
Cisco Employee

‎05-10-2010 01:35 PM

Hi,

If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.


Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.

HTH

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

Go to solution
bbrowncisco
Level 1
Level 1
In response to mopaul

‎05-10-2010 01:44 PM

Also, you should ensure that nat traversal is enabled, which it should be by default.  It's one of those commands that does not show up in the config when it's enabled.  To turn it on use:  crypto isakmp nat-traversal.  The 'no' form of the command will disable it.

View solution in original post

6 Replies 6

Go to solution
mopaul
Cisco Employee
Cisco Employee

‎05-10-2010 01:35 PM

Hi,

If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.


Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.

HTH

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Go to solution
bbrowncisco
Level 1
Level 1
In response to mopaul

‎05-10-2010 01:44 PM

Also, you should ensure that nat traversal is enabled, which it should be by default.  It's one of those commands that does not show up in the config when it's enabled.  To turn it on use:  crypto isakmp nat-traversal.  The 'no' form of the command will disable it.

Go to solution
trodecke
Level 1
Level 1
In response to bbrowncisco

‎05-10-2010 01:56 PM

Thanks guys.  NAT-T is enabled on all the interfaces on the ASA.   I really appreciate your help.   This will allow us to leave our clients with their existing VPN server config and not have to change all those PCF files.

0 Helpful

Go to solution
yhaifi001
Level 1
Level 1
In response to trodecke

‎01-18-2017 07:20 AM

Hi trodecke ,

it's been a long time that you wrote this post, I have the same issue VPN on ASA behind F5.

can you advise how did you forwarded thrafic between F5 and ASA.

Thnak you.

0 Helpful

Go to solution
trodecke
Level 1
Level 1
In response to yhaifi001

‎01-18-2017 07:37 AM

You're right, this has been a long time.  Basically,  what the others said was totally true.  As they mentioned,  as long as you have NAT-T (Nat Traversal) enabled in the configuration you'll be able to make a connection without issue.  If you're asking about the actual F5 configuration,  there are a couple of ways of doing it.  The easiest (though it's the hardest to monitor) is to have a virtual server with a service port of all (0).  That will send all traffic,  UDP and TCP,  to the node IP Address of the ASA.   The more accurate way of doing it (so you can better monitor it assuming you have multiple ASAs),  is to build a separate pool and virtual server for each protocol you need to forward to the ASA.  It's more work to create separate pools and virtual servers for IP protocol 50, 51, 57, UDP 500, UDP 4500, etc,  but it does allow you to create more accurate monitors than the standard ICMP monitor.

Go to solution
yhaifi001
Level 1
Level 1
In response to trodecke

‎03-07-2017 01:30 PM

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents