11-25-2020 11:42 PM
If Cisco ASA is not used as a NAT device. Put it behind the NAT device. Will there be problems when doing IPSec VPN?
Solved! Go to Solution.
11-27-2020 02:33 PM
There are a couple of things to keep in mind when you want to set up an IPsec tunnel with an ASA behind a NAT device. Let's assume you have a similar topology to the following:
London ASA is behind a NAT device which is the ISP router, however, Los Angeles ASA is placed at the edge of the Los Angeles remote site. For this example, I am assuming we only have one single public IP address at London site. This means that any traffic that will be sent to any device or endpoint behind the ISP router, that traffic will be destined to the public IP address 1.1.1.1. Then the ISP router, based on the configured NAT rules, will perform NAT untranslation and will re-route that traffic to the internal resources. On the other hand, the traffic that will be sent from the internal resources at London site will be NAT'ed and routed by the ISP router, which means that the outside world will always see that traffic with the public IP address 1.1.1.1 as the source address.
When it comes to the IPsec tunnel between London and Los Angeles ASAs, as NAT-T is enabled by default on ASA, when both firewalls start negotiating the IPsec tunnel (on port 500/udp) and NAT discovery happens, the Los Angeles ASA will find out that London ASA is behind a NAT device by comparing the NAT discovery hash received by London ASA with the one that will locally generated. This will allow the firewalls to encapsulate the ESP packets into UDP packets and assign port 4500 as both source and destination ports.
In terms of configuration, nothing unusual will be configured, you just configure both firewalls with the normal IPsec parameters as normal. The only thing is that from the Los Angeles ASA perspective, the peer IP address will be the ISP router IP, which is 1.1.1.1. However, from London ASA perspective nothing will change, you configure the peer with the IP address 2.2.2.2.
Now as mentioned before, for the traffic sent by Los Angeles ASA to hit the London ASA you need to set a couple of NAT rules on the ISP router to untranslate that traffic and send it over to London ASA's private IP address 192.168.3.2. The ISP router needs to have one NAT rule for port 500/udp and another for port 4500/udp. Both rules should be configured to untranslate the traffic destined to the public IP 1.1.1.1 on those ports, to the private IP 192.168.3.2 on the same ports. Also, if there are any security rules in place on the ISP router, you need to configure them to allow port 500/udp and 4500/udp traffic to pass through.
11-26-2020 12:00 AM
11-26-2020 12:05 AM
Is there any difference in configuration? I mean ASA as an outgoing device.
11-26-2020 12:41 AM
11-26-2020 12:19 AM
Or do you need to do other configuration on the NAT device?
11-26-2020 06:38 AM
yes you need some change on config.
crypto map
Set peer ip <- ip after NAT not ip of outside ASA
crypto isakmp key ### address ip <-ip after NAT not ip of outside ASA
11-27-2020 02:33 PM
There are a couple of things to keep in mind when you want to set up an IPsec tunnel with an ASA behind a NAT device. Let's assume you have a similar topology to the following:
London ASA is behind a NAT device which is the ISP router, however, Los Angeles ASA is placed at the edge of the Los Angeles remote site. For this example, I am assuming we only have one single public IP address at London site. This means that any traffic that will be sent to any device or endpoint behind the ISP router, that traffic will be destined to the public IP address 1.1.1.1. Then the ISP router, based on the configured NAT rules, will perform NAT untranslation and will re-route that traffic to the internal resources. On the other hand, the traffic that will be sent from the internal resources at London site will be NAT'ed and routed by the ISP router, which means that the outside world will always see that traffic with the public IP address 1.1.1.1 as the source address.
When it comes to the IPsec tunnel between London and Los Angeles ASAs, as NAT-T is enabled by default on ASA, when both firewalls start negotiating the IPsec tunnel (on port 500/udp) and NAT discovery happens, the Los Angeles ASA will find out that London ASA is behind a NAT device by comparing the NAT discovery hash received by London ASA with the one that will locally generated. This will allow the firewalls to encapsulate the ESP packets into UDP packets and assign port 4500 as both source and destination ports.
In terms of configuration, nothing unusual will be configured, you just configure both firewalls with the normal IPsec parameters as normal. The only thing is that from the Los Angeles ASA perspective, the peer IP address will be the ISP router IP, which is 1.1.1.1. However, from London ASA perspective nothing will change, you configure the peer with the IP address 2.2.2.2.
Now as mentioned before, for the traffic sent by Los Angeles ASA to hit the London ASA you need to set a couple of NAT rules on the ISP router to untranslate that traffic and send it over to London ASA's private IP address 192.168.3.2. The ISP router needs to have one NAT rule for port 500/udp and another for port 4500/udp. Both rules should be configured to untranslate the traffic destined to the public IP 1.1.1.1 on those ports, to the private IP 192.168.3.2 on the same ports. Also, if there are any security rules in place on the ISP router, you need to configure them to allow port 500/udp and 4500/udp traffic to pass through.
11-29-2020 09:24 PM
Okay thank you. Can you provide a configuration reference for this case? This will help me a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide