Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
15
Helpful
8
Replies

How many VPN can create behind NAT device

Go to solution
MrBeginner
Spotlight
Spotlight

‎05-12-2021 02:15 AM

Hi,

I would like to ask about vpn behind behind NAT device.

Let say HUB and Spokes VPN devices ( firewalls) are behind NAT routers.

All NAT router have static WAN ip.All WAN ip can reachable each others.

Let me know can we create multiple vpn tunnel from spokes firewalls to hubs firewall behind the NAT router ?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎05-13-2021 04:41 AM - edited ‎05-13-2021 04:44 AM

@MrBeginner 

Yes, that should work, assuming NAT-T is enabled (it is enabled as default on newer IOS/ASA).

Hub can be behind static NAT. Spokes can be behind Dynamic PAT/NAT or static NAT.

 

If you meant the spokes where behind the same NAT device, obviously it would be same source IP address. With NAT-T the destination port of the Hub would be udp/4500, but the source port of each spoke firewall would be a random high port, this is how the hub firewall can differentiate between the spokes.

 

Afaik, the limitations would be the number of VPN peers the Hub can scale to.

 

If using ASA, you'll have to use a dynamic crypto map on the hub, static crypto maps on the spokes.

View solution in original post

8 Replies 8

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎05-12-2021 03:14 AM

Hi,

If all devices are having Static IP then you can use One to One nat on the hub and port-forwarding on the Spoke. it will work fine. 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Deepak Kumar

‎05-12-2021 03:30 AM

Hi @Deepak Kumar 

Do you mean can not do if we are using dynamic nat ?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-12-2021 03:16 AM

You can ceate based on the model of the device support. as long as the resource not exausted.

 

Make sure you have static IP at HQ for the remote to connect.

 

By the way, what is this device ? ASA  or Router ? or ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MrBeginner
Spotlight
Spotlight
In response to balaji.bandi

‎05-12-2021 03:27 AM - edited ‎05-12-2021 03:29 AM

hi @balaji.bandi 

Firewall is ASA. I only want to confirm can we create multiple tunnel behind the NAT devices. I knew that if HUB device is public ip and spokes devices are behind the NAT device, we can create multiple tunnel.

I didn't see sample of lab or references design which all hub and spoke vpn devices are behind the NAT routers.

As per your answer, Multiple tunnel is no issue depend on the firewall resources ?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MrBeginner

‎05-12-2021 04:18 AM

You mean HUB also behind NAT ? also Spoke also behind NAT ? then that is not workable solution i guess here.

 

HUB need to have always Public IP exposed.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to balaji.bandi

‎05-12-2021 07:25 PM

Hi,

Hub and spoke are behind the NAT .

As per below link ,Juniper support can support both initiator and responder are behind the nat device.

 

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-and-policy-based-vpns-with-nat-t.html

 

but i am not sure cisco and other devices can support or not.And then i am not sure how many nat can create or not.

 

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MrBeginner

‎05-13-2021 04:29 AM

I have not tried  Hub behind NAT - that is not tested by my self - but good use case, but there is limitations alwyas Hub behind NAT.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎05-13-2021 04:41 AM - edited ‎05-13-2021 04:44 AM

@MrBeginner 

Yes, that should work, assuming NAT-T is enabled (it is enabled as default on newer IOS/ASA).

Hub can be behind static NAT. Spokes can be behind Dynamic PAT/NAT or static NAT.

 

If you meant the spokes where behind the same NAT device, obviously it would be same source IP address. With NAT-T the destination port of the Hub would be udp/4500, but the source port of each spoke firewall would be a random high port, this is how the hub firewall can differentiate between the spokes.

 

Afaik, the limitations would be the number of VPN peers the Hub can scale to.

 

If using ASA, you'll have to use a dynamic crypto map on the hub, static crypto maps on the spokes.

Customers Also Viewed These Support Documents