some security questions..

secureIT · ‎03-30-2014

hi all,

i have some questions regarding the site to site vpn as illustrated below.

scenario:

--()isp---router---asa---switch--lan

if the router lap ip is private and asa outside ip is public, can we still initiate s2s vpn, or its should be mandatory that router lan ip also must be a public?

second qstn: in which scenario, crypto nat traversal is mandatory for vpns to work ?

Karsten Iwen · ‎03-30-2014

You can always initiate a s2s vpn, regardless of the IP in this case. But there are scenarios where the ASA with a private IP can't be the responder and always has to initiate the connection.
NAT-traversal is normally done if there is any form of NAT/PAT on the path between the IPSec-Peers. But if there is control over the NAT-Device it could be used without NAT-Traversal wen the port-forwarding is set up correct. But if NAT-Traversal is enabled, which is typically the default, then it's used automatically regardless of the NAT-setup.

secureIT · ‎03-30-2014

Thats great Karsten.

1. you meant to say, ASA outside can be a pvt ip and so the router lan, but in router we can do a static nat of the asa outside pvt ip ? correct ?

if asa outside is public, and router lan is pvt, then also we can establish s2s.

what are the scenarios where asa with pvt ip can not be a responder. ?

initiater/respomder is decided by who initiates a connection first correct...

2. concluding on the crypto nat, if there is any nat device between the peers, and if that nat device is doing any kind of inside nat/outside nat, we have to enable crypto nat traversal, correct me if im wrong.

In s2s vpn, it will never check the interface acl, then while talking about the packet flow, could you please tell me what happens first and the series of actions for outbound and inbound traffic of 8.2 and 8.3