10-15-2017 09:17 AM - edited 03-12-2019 04:37 AM
Dears,
I have Firewall ASA 5555 in Site A with static IP address , at remote site site B I have 4G CPE with of course dynamic IP connected to Cisco Router ISR 4431 kindly find the drawing in the attachement network 10.213.20.0 /24 is in both sites i need to connect two sites through VPN site to site or any suitable solution
10-15-2017 10:45 AM - edited 10-15-2017 10:53 AM
The VPN tunnel will between ASA and Cisco router ? If does, it will be a little tricky but I think is possible. Make sure the router has securityk9 license
4G CPA may need to support NAT traversal.
Let me know which step you are and what do you need.
-If I helped you somehow, please, rate it as useful.-
10-15-2017 08:41 PM
Thanks Flavio for your reply,
yes the VPN tunnel between ASA and Cisco router , i forced to use 4G CPE with limited feature because I don't have leased line in this site , yes I have security license on cisco router SL-44-SEC-K9 , 4G CPE has only Cone and Symmetric NAT i think it doesn't support T-NAT, now I need to establish vpn tunnel and allow network 10.213.20.0/24 at both sites to communicate so please advise.
BR
Mohamed Hesham
10-15-2017 09:08 PM
Alright.
For ASA and Router you can find config example on the internet, here on the forum must have plenty.
After setup both sides you can set cone may on the CPE.
ASA try to establish tunnel with Public IP of CPE and it will forward the traffic to the router and vice versa.
VPN through NAT is largely discussed.
Same Network on both sides add more challenge. On this case you need to perform NAT on router to a different IP range and NAT again on ASA side to the corresponding IP address.
Never try this but should works.
-If I helped you somehow, please, rate it as useful.-
10-15-2017 11:06 AM
Hi,
It can be done.
Here is the link that explains the steps to configure the dynamic to static IPSEC:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
If you are using ASA version 8.3+, the only thing that changes is the NAT config.
For this scenario, twice NAT is needed (because of the overlapping interesting traffic) and NAT-T must be enabled.
Twice NAT:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
10-15-2017 09:00 PM
Thanks josue for your reply ,
you mean by T-NAT must be enabled on Cisco router or 4G router and twice nat will done on ASA for network 10.213.20.0 /24 note this network doesn't need to reach internet just to connect to another site and please explain to me the twice NAT point
i appreciate your support
BR
Moahmed Hesham
10-15-2017 09:27 PM
10-16-2017 06:36 AM
i follow the steps with change of the version
but it is not working i can't even establish the tunnel please advise
10-16-2017 07:45 AM
the CPE is not the source of the VPN
two NAT's are used but not at each end of the internet link, but twice at the same end.
-> in my opinion this is not a "twice NAT" configuration.
in this scenario there is no way to configure the public IP of the CPE as source of the VPN.
-> the ASA needs to accept VPN from ANY source
-> you need another way to authenticate your router
-> use PKI
10-16-2017 07:57 AM
forget two same subnets, i tried to configure static IP sec from Cisco router side behind CPE and configured dynamic crypto on ASA as the following example like Josue Brenes
but tunnel is not established i modified the drawing to got my point
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide