Solved: Site-to-Site VPN Possible behind NAT routers on both ends?

Adam Frederick · ‎01-26-2016

Good day,

After extensive research I have found no answer so I'm turning to the community.

I'm trying to help a friend setup a VPN but it's a scenario I haven't dealt with and hope someone has.

Here is the basic schematic;

Site 1 - 172.16.23.0/24

Site 2 - 172.16.24.0/24

(ASA Site 1 - 172.16.23.5)-------Linksys Router w/ Static Public IP-------Internet-------Linksys Router w/ Static Public IP-----(ASA Site 2 - 172.16.24.5)

Is this scenario possible with port forwarding? Any caveats I need to watch out for?

I've read that I'll need a route in my ASA, say Site 1 ASA, that says... route 172.16.24.0 255.255.255.0 1.1.1.1 (Point to public IP of local ASA).

I've also read I'll need an additional route in my linksys router (site 1) that says... route 172.16.24.0 255.255.255.0 172.16.23.5 (Point to local ASA interface)

Thanks for any input and suggestions,

A

rvarelac · ‎01-26-2016

Hi Adam,

You're right with a port forwarding you can create a IPSEC tunnel even if NAT is present on both ends.

Also NAT-T is a feature enabled by default on the ASA which automatically detects if the device is behind NAT and switch the IPSEC port to UDP 4500. Here is the syntax of the command:

ASA(config)# crypto isakmp nat-traversal 20

How NAT-T works

As well, here is a document for your reference to build up the VPN tunnel:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

Regarding the routing, all the traffic will be going out from the ASA using the IP where the crypto map is applied, the routing on the linkysys devices only have to take care that this IP is routed out to the internet and that there is connectivity between the 2 ASAs.

Hope it helps

-Randy-

View solution in original post

rvarelac · ‎01-26-2016