cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2432
Views
15
Helpful
6
Replies

Using Cisco Client to site VPN on an ASA 5520 behind NAT

trodecke
Level 1
Level 1

I apologize if this has been asked and answered in the forums.  I searched and while I found a large number of entries that danced all around this particular question,  I never found anything that addressed this specific question.   We are currently Using an ASA 5520 as the head end of a relatively large client to site IPSEC VPN (roughly 240 users, not consecutively).   This ASA is currently sitting behind a Checkpoint firewall with an actual publicly addressable IP address on it's public interface.  All our clients are using the legacy Cisco VPN client (not the anyconnect one).  We are planning on putting a couple of F5 Link Controllers in place between the ISPs and the firewalls.   For VPN connectivity F5 recommends that we NAT the IP address (called a Wide IP) at the F5 and point it back to a private IP address on the ASA.  My question is,  will this work?   I've always heard that the head end needed to have a public IP address on it as that's what will be placed in the packets for the client to talk back to.

For clarification,  here's what we have currently and what we're being asked to go to;

Current

ISP - Router ------  Firewall ------  ASA (public IP address as endpoint)


Proposed

ISP - Router ------  F5 (public IP address as endpoint, NATed to ASA) ------ Firewall ------ ASA (10.X.X.X as it's outside interface)

Alternative Proposed

ISP - Router ------ F5 (Public IP address as endpoint, NATed to ASA) ------ ASA (10.X.X.X as it's outside interface)

Any and all thoughts at this time would be greatly appreciated.   Thanks!

2 Accepted Solutions

Accepted Solutions

mopaul
Cisco Employee
Cisco Employee

Hi,

If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.


Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.

HTH

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

Also, you should ensure that nat traversal is enabled, which it should be by default.  It's one of those commands that does not show up in the config when it's enabled.  To turn it on use:  crypto isakmp nat-traversal.  The 'no' form of the command will disable it.

View solution in original post

6 Replies 6

mopaul
Cisco Employee
Cisco Employee

Hi,

If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.


Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.

HTH

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Also, you should ensure that nat traversal is enabled, which it should be by default.  It's one of those commands that does not show up in the config when it's enabled.  To turn it on use:  crypto isakmp nat-traversal.  The 'no' form of the command will disable it.

Thanks guys.  NAT-T is enabled on all the interfaces on the ASA.   I really appreciate your help.   This will allow us to leave our clients with their existing VPN server config and not have to change all those PCF files.

Hi trodecke ,

it's been a long time that you wrote this post, I have the same issue VPN on ASA behind F5.

can you advise how did you forwarded thrafic between F5 and ASA.

Thnak you.

You're right, this has been a long time.  Basically,  what the others said was totally true.  As they mentioned,  as long as you have NAT-T (Nat Traversal) enabled in the configuration you'll be able to make a connection without issue.  If you're asking about the actual F5 configuration,  there are a couple of ways of doing it.  The easiest (though it's the hardest to monitor) is to have a virtual server with a service port of all (0).  That will send all traffic,  UDP and TCP,  to the node IP Address of the ASA.   The more accurate way of doing it (so you can better monitor it assuming you have multiple ASAs),  is to build a separate pool and virtual server for each protocol you need to forward to the ASA.  It's more work to create separate pools and virtual servers for IP protocol 50, 51, 57, UDP 500, UDP 4500, etc,  but it does allow you to create more accurate monitors than the standard ICMP monitor.