cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
433
Views
5
Helpful
7
Replies
Highlighted

If Cisco ASA is not used as a NAT device. Put it behind the NAT device. Will there be problems when doing IPSec VPN

If Cisco ASA is not used as a NAT device. Put it behind the NAT device. Will there be problems when doing IPSec VPN?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Rising star

There are a couple of things to keep in mind when you want to set up an IPsec tunnel with an ASA behind a NAT device. Let's assume you have a similar topology to the following:

CSC_ASA_behind_NAT.jpg

London ASA is behind a NAT device which is the ISP router, however, Los Angeles ASA is placed at the edge of the Los Angeles remote site. For this example, I am assuming we only have one single public IP address at London site. This means that any traffic that will be sent to any device or endpoint behind the ISP router, that traffic will be destined to the public IP address 1.1.1.1. Then the ISP router, based on the configured NAT rules, will perform NAT untranslation and will re-route that traffic to the internal resources. On the other hand, the traffic that will be sent from the internal resources at London site will be NAT'ed and routed by the ISP router, which means that the outside world will always see that traffic with the public IP address 1.1.1.1 as the source address.

When it comes to the IPsec tunnel between London and Los Angeles ASAs, as NAT-T is enabled by default on ASA, when both firewalls start negotiating the IPsec tunnel (on port 500/udp) and NAT discovery happens, the Los Angeles ASA will find out that London ASA is behind a NAT device by comparing the NAT discovery hash received by London ASA with the one that will locally generated. This will allow the firewalls to encapsulate the ESP packets into UDP packets and assign port 4500 as both source and destination ports.

In terms of configuration, nothing unusual will be configured, you just configure both firewalls with the normal IPsec parameters as normal. The only thing is that from the Los Angeles ASA perspective, the peer IP address will be the ISP router IP, which is 1.1.1.1. However, from London ASA perspective nothing will change, you configure the peer with the IP address 2.2.2.2.

Now as mentioned before, for the traffic sent by Los Angeles ASA to hit the London ASA you need to set a couple of NAT rules on the ISP router to untranslate that traffic and send it over to London ASA's private IP address 192.168.3.2. The ISP router needs to have one NAT rule for port 500/udp and another for port 4500/udp. Both rules should be configured to untranslate the traffic destined to the public IP 1.1.1.1 on those ports, to the private IP 192.168.3.2 on the same ports. Also, if there are any security rules in place on the ISP router, you need to configure them to allow port 500/udp and 4500/udp traffic to pass through.

View solution in original post

7 REPLIES 7
Highlighted
VIP Advisor

No, because the IPSec peers will detect the natting and will switch to
NAT-T (unless its explicitly disabled). NAT-T will run on UDP4500


**** please remember to rate useful posts
Highlighted

Is there any difference in configuration? I mean ASA as an outgoing device.

Highlighted

No, ASA by default will have nat-t on.
Highlighted

Or do you need to do other configuration on the NAT device?

Highlighted
Rising star

yes you need some change on config.
crypto map
Set peer ip <- ip after NAT not ip of outside ASA 
crypto isakmp key ### address ip <-ip after NAT not ip of outside ASA

Highlighted
VIP Rising star

There are a couple of things to keep in mind when you want to set up an IPsec tunnel with an ASA behind a NAT device. Let's assume you have a similar topology to the following:

CSC_ASA_behind_NAT.jpg

London ASA is behind a NAT device which is the ISP router, however, Los Angeles ASA is placed at the edge of the Los Angeles remote site. For this example, I am assuming we only have one single public IP address at London site. This means that any traffic that will be sent to any device or endpoint behind the ISP router, that traffic will be destined to the public IP address 1.1.1.1. Then the ISP router, based on the configured NAT rules, will perform NAT untranslation and will re-route that traffic to the internal resources. On the other hand, the traffic that will be sent from the internal resources at London site will be NAT'ed and routed by the ISP router, which means that the outside world will always see that traffic with the public IP address 1.1.1.1 as the source address.

When it comes to the IPsec tunnel between London and Los Angeles ASAs, as NAT-T is enabled by default on ASA, when both firewalls start negotiating the IPsec tunnel (on port 500/udp) and NAT discovery happens, the Los Angeles ASA will find out that London ASA is behind a NAT device by comparing the NAT discovery hash received by London ASA with the one that will locally generated. This will allow the firewalls to encapsulate the ESP packets into UDP packets and assign port 4500 as both source and destination ports.

In terms of configuration, nothing unusual will be configured, you just configure both firewalls with the normal IPsec parameters as normal. The only thing is that from the Los Angeles ASA perspective, the peer IP address will be the ISP router IP, which is 1.1.1.1. However, from London ASA perspective nothing will change, you configure the peer with the IP address 2.2.2.2.

Now as mentioned before, for the traffic sent by Los Angeles ASA to hit the London ASA you need to set a couple of NAT rules on the ISP router to untranslate that traffic and send it over to London ASA's private IP address 192.168.3.2. The ISP router needs to have one NAT rule for port 500/udp and another for port 4500/udp. Both rules should be configured to untranslate the traffic destined to the public IP 1.1.1.1 on those ports, to the private IP 192.168.3.2 on the same ports. Also, if there are any security rules in place on the ISP router, you need to configure them to allow port 500/udp and 4500/udp traffic to pass through.

View solution in original post

Highlighted

Okay thank you. Can you provide a configuration reference for this case? This will help me a lot.

Content for Community-Ad