cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13931
Views
0
Helpful
1
Replies

Site-to-Site VPN Possible behind NAT routers on both ends?

Adam Frederick
Level 3
Level 3

Good day,

After extensive research I have found no answer so I'm turning to the community.

I'm trying to help a friend setup a VPN but it's a scenario I haven't dealt with and hope someone has.

Here is the basic schematic;

Site 1 - 172.16.23.0/24

Site 2 - 172.16.24.0/24

(ASA Site 1 - 172.16.23.5)-------Linksys Router w/ Static Public IP-------Internet-------Linksys Router w/ Static Public IP-----(ASA Site 2 - 172.16.24.5)

Is this scenario possible with port forwarding?  Any caveats I need to watch out for?

I've read that I'll need a route in my ASA, say Site 1 ASA, that says... route 172.16.24.0 255.255.255.0 1.1.1.1 (Point to public IP of local ASA).

I've also read I'll need an additional route in my linksys router (site 1) that says... route 172.16.24.0 255.255.255.0 172.16.23.5 (Point to local ASA interface)

Thanks for any input and suggestions,

A

1 Accepted Solution

Accepted Solutions

rvarelac
Level 7
Level 7

Hi Adam, 

You're right with a port forwarding you can create a IPSEC tunnel even if NAT is present on both ends.

Also NAT-T is a feature enabled by default on the ASA which  automatically detects if the device is behind NAT and switch the IPSEC port to UDP 4500. Here is the syntax of the command:

ASA(config)# crypto isakmp nat-traversal 20

How NAT-T works

As well, here is a document for your reference to build up the VPN tunnel:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

Regarding the routing, all the traffic will be going out from the ASA using the IP where the crypto map is applied, the routing on the linkysys devices only have to take care that this IP is routed out to the internet and that there is connectivity between the 2 ASAs.

Hope it helps

-Randy-

View solution in original post

1 Reply 1

rvarelac
Level 7
Level 7

Hi Adam, 

You're right with a port forwarding you can create a IPSEC tunnel even if NAT is present on both ends.

Also NAT-T is a feature enabled by default on the ASA which  automatically detects if the device is behind NAT and switch the IPSEC port to UDP 4500. Here is the syntax of the command:

ASA(config)# crypto isakmp nat-traversal 20

How NAT-T works

As well, here is a document for your reference to build up the VPN tunnel:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

Regarding the routing, all the traffic will be going out from the ASA using the IP where the crypto map is applied, the routing on the linkysys devices only have to take care that this IP is routed out to the internet and that there is connectivity between the 2 ASAs.

Hope it helps

-Randy-