Re: ASA Site to Site VPN with Router

fatalXerror · ‎07-30-2018

Hi Experts,

I am just wondering, how to deploy site-to-site VPN in ASA if the public IP address is in the internet router and not in the ASA itself? Do I need to do NAT in the router or I can use my NAT overload in the router (for my internet access for my LAN) to establish VPN tunnel towards the ASA?

thanks

Marvin Rhoads · ‎07-30-2018

You would need a static NAT in the router translating to the ASA private IP address. You'd need to allow protocol 50 (ESP - required for IPsec) and udp/4500 (NAT-T) through the router if it has any access-list inbound.

The distant end would point to the public IP address on the router as the peer.

thiland · ‎07-31-2018

As an alternative to this, there are ways to make this work with *one* VPN endpoint behind a NAT/PAT device by ensuring the headend is in responder-only mode, and the endpoint behind NAT in initiator-only mode.

The initiator should be sending IKEv1/2 (UDP/500) and encapsulated IPsec (NAT-T as UDP/4500) which can be processed by the NAT router. If using a regular crypto map on remote peer:

crypto map CRYPTO-MAP 1 set connection-type originate-only

On headend peer:

crypto map CRYPTO-MAP 1 set connection-type answer-only

This is available with Cisco ASA VTIs as well (responder-only in the IPsec profile), although I haven't tried that with ASAs yet.