cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1761
Views
5
Helpful
7
Replies

If Cisco ASA is not used as a NAT device. Put it behind the NAT device. Will there be problems when doing IPSec VPN

If Cisco ASA is not used as a NAT device. Put it behind the NAT device. Will there be problems when doing IPSec VPN?

1 Accepted Solution

Accepted Solutions

There are a couple of things to keep in mind when you want to set up an IPsec tunnel with an ASA behind a NAT device. Let's assume you have a similar topology to the following:

CSC_ASA_behind_NAT.jpg

London ASA is behind a NAT device which is the ISP router, however, Los Angeles ASA is placed at the edge of the Los Angeles remote site. For this example, I am assuming we only have one single public IP address at London site. This means that any traffic that will be sent to any device or endpoint behind the ISP router, that traffic will be destined to the public IP address 1.1.1.1. Then the ISP router, based on the configured NAT rules, will perform NAT untranslation and will re-route that traffic to the internal resources. On the other hand, the traffic that will be sent from the internal resources at London site will be NAT'ed and routed by the ISP router, which means that the outside world will always see that traffic with the public IP address 1.1.1.1 as the source address.

When it comes to the IPsec tunnel between London and Los Angeles ASAs, as NAT-T is enabled by default on ASA, when both firewalls start negotiating the IPsec tunnel (on port 500/udp) and NAT discovery happens, the Los Angeles ASA will find out that London ASA is behind a NAT device by comparing the NAT discovery hash received by London ASA with the one that will locally generated. This will allow the firewalls to encapsulate the ESP packets into UDP packets and assign port 4500 as both source and destination ports.

In terms of configuration, nothing unusual will be configured, you just configure both firewalls with the normal IPsec parameters as normal. The only thing is that from the Los Angeles ASA perspective, the peer IP address will be the ISP router IP, which is 1.1.1.1. However, from London ASA perspective nothing will change, you configure the peer with the IP address 2.2.2.2.

Now as mentioned before, for the traffic sent by Los Angeles ASA to hit the London ASA you need to set a couple of NAT rules on the ISP router to untranslate that traffic and send it over to London ASA's private IP address 192.168.3.2. The ISP router needs to have one NAT rule for port 500/udp and another for port 4500/udp. Both rules should be configured to untranslate the traffic destined to the public IP 1.1.1.1 on those ports, to the private IP 192.168.3.2 on the same ports. Also, if there are any security rules in place on the ISP router, you need to configure them to allow port 500/udp and 4500/udp traffic to pass through.

View solution in original post

7 Replies 7

No, because the IPSec peers will detect the natting and will switch to
NAT-T (unless its explicitly disabled). NAT-T will run on UDP4500


**** please remember to rate useful posts

Is there any difference in configuration? I mean ASA as an outgoing device.

No, ASA by default will have nat-t on.

Or do you need to do other configuration on the NAT device?

yes you need some change on config.
crypto map
Set peer ip <- ip after NAT not ip of outside ASA 
crypto isakmp key ### address ip <-ip after NAT not ip of outside ASA

There are a couple of things to keep in mind when you want to set up an IPsec tunnel with an ASA behind a NAT device. Let's assume you have a similar topology to the following:

CSC_ASA_behind_NAT.jpg

London ASA is behind a NAT device which is the ISP router, however, Los Angeles ASA is placed at the edge of the Los Angeles remote site. For this example, I am assuming we only have one single public IP address at London site. This means that any traffic that will be sent to any device or endpoint behind the ISP router, that traffic will be destined to the public IP address 1.1.1.1. Then the ISP router, based on the configured NAT rules, will perform NAT untranslation and will re-route that traffic to the internal resources. On the other hand, the traffic that will be sent from the internal resources at London site will be NAT'ed and routed by the ISP router, which means that the outside world will always see that traffic with the public IP address 1.1.1.1 as the source address.

When it comes to the IPsec tunnel between London and Los Angeles ASAs, as NAT-T is enabled by default on ASA, when both firewalls start negotiating the IPsec tunnel (on port 500/udp) and NAT discovery happens, the Los Angeles ASA will find out that London ASA is behind a NAT device by comparing the NAT discovery hash received by London ASA with the one that will locally generated. This will allow the firewalls to encapsulate the ESP packets into UDP packets and assign port 4500 as both source and destination ports.

In terms of configuration, nothing unusual will be configured, you just configure both firewalls with the normal IPsec parameters as normal. The only thing is that from the Los Angeles ASA perspective, the peer IP address will be the ISP router IP, which is 1.1.1.1. However, from London ASA perspective nothing will change, you configure the peer with the IP address 2.2.2.2.

Now as mentioned before, for the traffic sent by Los Angeles ASA to hit the London ASA you need to set a couple of NAT rules on the ISP router to untranslate that traffic and send it over to London ASA's private IP address 192.168.3.2. The ISP router needs to have one NAT rule for port 500/udp and another for port 4500/udp. Both rules should be configured to untranslate the traffic destined to the public IP 1.1.1.1 on those ports, to the private IP 192.168.3.2 on the same ports. Also, if there are any security rules in place on the ISP router, you need to configure them to allow port 500/udp and 4500/udp traffic to pass through.

Okay thank you. Can you provide a configuration reference for this case? This will help me a lot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: