07-30-2018 06:21 PM
Hi Experts,
I am just wondering, how to deploy site-to-site VPN in ASA if the public IP address is in the internet router and not in the ASA itself? Do I need to do NAT in the router or I can use my NAT overload in the router (for my internet access for my LAN) to establish VPN tunnel towards the ASA?
thanks
07-30-2018 09:21 PM
You would need a static NAT in the router translating to the ASA private IP address. You'd need to allow protocol 50 (ESP - required for IPsec) and udp/4500 (NAT-T) through the router if it has any access-list inbound.
The distant end would point to the public IP address on the router as the peer.
07-31-2018 07:57 AM
As an alternative to this, there are ways to make this work with *one* VPN endpoint behind a NAT/PAT device by ensuring the headend is in responder-only mode, and the endpoint behind NAT in initiator-only mode.
The initiator should be sending IKEv1/2 (UDP/500) and encapsulated IPsec (NAT-T as UDP/4500) which can be processed by the NAT router. If using a regular crypto map on remote peer:
crypto map CRYPTO-MAP 1 set connection-type originate-only
On headend peer:
crypto map CRYPTO-MAP 1 set connection-type answer-only
This is available with Cisco ASA VTIs as well (responder-only in the IPsec profile), although I haven't tried that with ASAs yet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: