Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
5
Replies

Site-to-Site VPN Possible behind NAT routers on both ends?

Adam Frederick
Level 3
Level 3

‎01-26-2016 01:34 PM

Good day,

After extensive research I have found no answer so I'm turning to the community.

I'm trying to help a friend setup a VPN but it's a scenario I haven't dealt with and hope someone has.

Here is the basic schematic;

Site 1 - 172.16.23.0/24

Site 2 - 172.16.24.0/24

(ASA Site 1 - 172.16.23.5)-------Linksys Router w/ Static Public IP-------Internet-------Linksys Router w/ Static Public IP-----(ASA Site 2 - 172.16.24.5)

Is this scenario possible with port forwarding?  Any caveats I need to watch out for?

I've read that I'll need a route in my ASA, say Site 1 ASA, that says... route 172.16.24.0 255.255.255.0 1.1.1.1 (Point to public IP of local ASA).

I've also read I'll need an additional route in my linksys router (site 1) that says... route 172.16.24.0 255.255.255.0 172.16.23.5 (Point to local ASA interface)

Thanks for any input and suggestions,

A

Labels:
0 Helpful
5 Replies 5

carlguer
Level 1
Level 1

‎01-26-2016 01:59 PM

Hi Adam,

I've seen some configurations were you aim to the public ip on the other end and then that router does a port-forwarding to the router ip, but I don't know if this works all the time.

Have you tried setting this in a Lab?

Also those routes look really weird, the route should always aim to the next hop, in this case if you want to get to 172.16.24.0 255.255.255.0 you should aim to your ISP because that network is across the tunnel.

0 Helpful

Adam Frederick
Level 3
Level 3
In response to carlguer

‎01-26-2016 02:08 PM

I wish I had the option of testing in a lab but I don't unfortunately.

I agree on the routes, they should point to the next hop but given this scenario I wanted to clarify from an article I read earlier.  

I would imagine port forwarding udp/500 and udp/4500 to the ASA boxes and using the linksys public IP as tunnel endpoints in my ASA tunnel config should do the trick.  Along with a route in each linksys pointing to the local ASA for the remote subnet or are you saying that route in my linksys should point to the other end's public IP?  

0 Helpful

carlguer
Level 1
Level 1
In response to Adam Frederick

‎01-26-2016 02:09 PM

Exactly.

That's the way it should work.

0 Helpful

Adam Frederick
Level 3
Level 3
In response to carlguer

‎01-26-2016 02:15 PM

Just to clarify, would you point the route to the remote subnet in the linksys router to use the remote site's public IP or the local ASA?

I assume the ASA since the linksys has no way to build the tunnel but my brain is running on empty at this point :)  Thanks for your input.

0 Helpful

carlguer
Level 1
Level 1
In response to Adam Frederick

‎01-26-2016 02:25 PM

I would use something like this:

Let's say that 1.1.1.1 is the ISP for ASA1

ASA1:

route outside 0.0.0.0 0.0.0.0 1.1.1.1

Linksys1

172.16.23.0 255.255.255.0  outside ip in the ASA

0 Helpful
Customers Also Viewed These Support Documents