VPN between 2 ASA 5510 with one router

motoso.de-2013 · ‎02-12-2018

Hi, I have a Cisco ASA 5510 which is connected via VPN (side-to-side) with an other Cisco ASA 5510.
Using my FritzBox 7490 only as a modem, everything works fine, for many years.
Now, as I need to connect some phones, I use the FritzBox 7490 as an router, forwarding everything to
my Cisco ASA 5510. But now the IP of my Cisco ASA 5510 is a private IP on the other firewall,
so it don't work. How can I masquerade/translate the private IP as/to an public IP?

Karsten Iwen · ‎02-12-2018

On the other ASA nothing changes. That device still sees this ASA with the same public IP.
On the local ASA you just reconfigure the outside interface and depending on the router-setup, you could remove the NAT on the ASA.
On both ASAs you have to make sure that you didn't disable NAT-T.
The FritzBox has to forward UDP/500 and UDP/4500 to the ASA.

Then everything should work as before.

motoso.de-2013 · ‎02-27-2018

Sorry, it does not work.

On the other ASA nothing changes. That device still sees this ASA with the same public IP.
Nothing was changed.
On the local ASA you just reconfigure the outside interface and depending on the router-setup, you could remove the NAT on the ASA.
The outside interface was changed, everything, excepts the side-to-side VPN works very well.
On both ASAs you have to make sure that you didn't disable NAT-T.
NAT-T is enabled, as I think this is the default, so there is NO "no crypto isakmp nat-traversal" configured.
The FritzBox has to forward UDP/500 and UDP/4500 to the ASA.
The FritzBox forwards everything, the local ASA is configured as "exposed host".

The other ASA sees the local ASA with the private IP and that's why the side-to-side VPN connection is not established, but if I browse on my workstation to an outside HTTP-server, my workstation is seen with my public IP.