05-10-2010 01:27 PM
I apologize if this has been asked and answered in the forums. I searched and while I found a large number of entries that danced all around this particular question, I never found anything that addressed this specific question. We are currently Using an ASA 5520 as the head end of a relatively large client to site IPSEC VPN (roughly 240 users, not consecutively). This ASA is currently sitting behind a Checkpoint firewall with an actual publicly addressable IP address on it's public interface. All our clients are using the legacy Cisco VPN client (not the anyconnect one). We are planning on putting a couple of F5 Link Controllers in place between the ISPs and the firewalls. For VPN connectivity F5 recommends that we NAT the IP address (called a Wide IP) at the F5 and point it back to a private IP address on the ASA. My question is, will this work? I've always heard that the head end needed to have a public IP address on it as that's what will be placed in the packets for the client to talk back to.
For clarification, here's what we have currently and what we're being asked to go to;
Current
ISP - Router ------ Firewall ------ ASA (public IP address as endpoint)
Proposed
ISP - Router ------ F5 (public IP address as endpoint, NATed to ASA) ------ Firewall ------ ASA (10.X.X.X as it's outside interface)
Alternative Proposed
ISP - Router ------ F5 (Public IP address as endpoint, NATed to ASA) ------ ASA (10.X.X.X as it's outside interface)
Any and all thoughts at this time would be greatly appreciated. Thanks!
Solved! Go to Solution.
05-10-2010 01:35 PM
Hi,
If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.
Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.
HTH
Regards
Mohit
05-10-2010 01:44 PM
Also, you should ensure that nat traversal is enabled, which it should be by default. It's one of those commands that does not show up in the config when it's enabled. To turn it on use: crypto isakmp nat-traversal. The 'no' form of the command will disable it.
05-10-2010 01:35 PM
Hi,
If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.
Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.
HTH
Regards
Mohit
05-10-2010 01:44 PM
Also, you should ensure that nat traversal is enabled, which it should be by default. It's one of those commands that does not show up in the config when it's enabled. To turn it on use: crypto isakmp nat-traversal. The 'no' form of the command will disable it.
05-10-2010 01:56 PM
Thanks guys. NAT-T is enabled on all the interfaces on the ASA. I really appreciate your help. This will allow us to leave our clients with their existing VPN server config and not have to change all those PCF files.
01-18-2017 07:20 AM
Hi
it's been a long time that you wrote this post, I have the same issue VPN on ASA behind F5.
can you advise how did you forwarded thrafic between F5 and ASA.
Thnak you.
01-18-2017 07:37 AM
You're right, this has been a long time. Basically, what the others said was totally true. As they mentioned, as long as you have NAT-T (Nat Traversal) enabled in the configuration you'll be able to make a connection without issue. If you're asking about the actual F5 configuration, there are a couple of ways of doing it. The easiest (though it's the hardest to monitor) is to have a virtual server with a service port of all (0). That will send all traffic, UDP and TCP, to the node IP Address of the ASA. The more accurate way of doing it (so you can better monitor it assuming you have multiple ASAs), is to build a separate pool and virtual server for each protocol you need to forward to the ASA. It's more work to create separate pools and virtual servers for IP protocol 50, 51, 57, UDP 500, UDP 4500, etc, but it does allow you to create more accurate monitors than the standard ICMP monitor.
03-07-2017 01:30 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide