07-30-2018 06:21 PM
Hi Experts,
I am just wondering, how to deploy site-to-site VPN in ASA if the public IP address is in the internet router and not in the ASA itself? Do I need to do NAT in the router or I can use my NAT overload in the router (for my internet access for my LAN) to establish VPN tunnel towards the ASA?
thanks
07-30-2018 09:21 PM
You would need a static NAT in the router translating to the ASA private IP address. You'd need to allow protocol 50 (ESP - required for IPsec) and udp/4500 (NAT-T) through the router if it has any access-list inbound.
The distant end would point to the public IP address on the router as the peer.
07-31-2018 07:57 AM
As an alternative to this, there are ways to make this work with *one* VPN endpoint behind a NAT/PAT device by ensuring the headend is in responder-only mode, and the endpoint behind NAT in initiator-only mode.
The initiator should be sending IKEv1/2 (UDP/500) and encapsulated IPsec (NAT-T as UDP/4500) which can be processed by the NAT router. If using a regular crypto map on remote peer:
crypto map CRYPTO-MAP 1 set connection-type originate-only
On headend peer:
crypto map CRYPTO-MAP 1 set connection-type answer-only
This is available with Cisco ASA VTIs as well (responder-only in the IPsec profile), although I haven't tried that with ASAs yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide