Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2156
Views
0
Helpful
9
Replies

site to site vpn between Static IP and dynamic IP between ASA and Cisco router connected to CPE

Mohamed H. Abdelmotaleb
Level 1
Level 1

‎10-15-2017 09:17 AM - edited ‎03-12-2019 04:37 AM

Dears,

 I have Firewall ASA 5555 in Site A with static IP address , at remote site site B I have 4G CPE with of course dynamic IP connected to Cisco Router ISR 4431  kindly find the drawing  in the attachement network  10.213.20.0 /24 is in both sites i need to connect two sites through VPN site to site or any suitable solution 

Labels:
Preview file
19 KB
0 Helpful
9 Replies 9

Flavio Miranda
VIP
VIP

‎10-15-2017 10:45 AM - edited ‎10-15-2017 10:53 AM

@Mohamed H. Abdelmotaleb

 

 The VPN tunnel will between ASA and Cisco router ?  If does, it will be a little tricky but I think is possible.  Make sure the router has securityk9 license

4G CPA may need to support NAT traversal.

 Let me know which step you are and what do you need.

 

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

Mohamed H. Abdelmotaleb
Level 1
Level 1
In response to Flavio Miranda

‎10-15-2017 08:41 PM

Thanks Flavio for your reply,

yes the VPN tunnel between ASA and Cisco router , i forced to use 4G CPE with limited feature because I don't have leased line in this site , yes I have security license on cisco router SL-44-SEC-K9 , 4G CPE has only Cone and Symmetric NAT i think it doesn't support T-NAT, now I need to establish vpn tunnel and allow network 10.213.20.0/24 at both sites to communicate so please advise. 

 

BR

Mohamed Hesham

0 Helpful

Flavio Miranda
VIP
VIP
In response to Mohamed H. Abdelmotaleb

‎10-15-2017 09:08 PM

Alright.

 For ASA and Router you can find config example on the internet, here on the forum must have plenty.

 After setup both sides you can set cone may on the CPE. 

 ASA try to establish tunnel with Public IP of CPE and it will forward the traffic to the router and vice versa.

VPN through NAT is largely discussed.

Same Network on both sides add more challenge. On this case you need to perform NAT on router to a different IP range and NAT again on ASA side to the corresponding IP address.

 Never try this but should works.

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Josue Brenes
Cisco Employee
Cisco Employee

‎10-15-2017 11:06 AM

Hi,

It can be done.
Here is the link that explains the steps to configure the dynamic to static IPSEC:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

If you are using ASA version 8.3+, the only thing that changes is the NAT config.
For this scenario, twice NAT is needed (because of the overlapping interesting traffic) and NAT-T must be enabled.
Twice NAT:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html

Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

0 Helpful

Mohamed H. Abdelmotaleb
Level 1
Level 1
In response to Josue Brenes

‎10-15-2017 09:00 PM

Thanks josue for your reply ,

 

you mean by T-NAT must be enabled on Cisco router or 4G router and twice nat will done on ASA for network 10.213.20.0 /24 note this network doesn't need to reach internet just to connect to another site and please explain to me the twice NAT point

i appreciate your support

 

BR

Moahmed Hesham

0 Helpful

Mohamed H. Abdelmotaleb
Level 1
Level 1
In response to Josue Brenes

‎10-15-2017 09:27 PM

Thanks josue for your reply ,

you mean by T-NAT must be enabled on Cisco router or 4G router and twice nat will done on ASA for network 10.213.20.0 /24 note this network doesn't need to reach internet just to connect to another site and please explain to me the twice NAT point
i appreciate your support

BR
Moahmed Hesham
0 Helpful

Mohamed H. Abdelmotaleb
Level 1
Level 1
In response to Josue Brenes

‎10-16-2017 06:36 AM

i follow the steps with change of the version 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

but it is not working i can't even establish the tunnel please advise 

 

0 Helpful

pieterh
VIP
VIP
In response to Mohamed H. Abdelmotaleb

‎10-16-2017 07:45 AM

the CPE is not the source of the VPN

two NAT's are used but not at each end of the internet link, but twice at the same end.

-> in my opinion this is not a "twice NAT" configuration.

 

in this scenario there is no way to configure the public IP of the CPE as source of the VPN.

-> the ASA needs to accept VPN from ANY source

-> you need another way to authenticate your router

-> use PKI

 

0 Helpful

Mohamed H. Abdelmotaleb
Level 1
Level 1
In response to pieterh

‎10-16-2017 07:57 AM

forget two same subnets, i tried to configure static IP sec from Cisco router side behind CPE and configured dynamic crypto on ASA as the following example  like Josue Brenes 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

 

but tunnel is not established  i modified the drawing to got my point 

Preview file
21 KB
0 Helpful
Customers Also Viewed These Support Documents