Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
5
Helpful
4
Replies

VPN peer behind internet edge router

Go to solution
Jesse Mendez
Level 1
Level 1

‎01-15-2013 08:42 AM

Hello,

I have a design question more than a troubleshooting question and I hope you can help me with this or point me to a good resource where I can get this clear. 

My topology is very simple:

Local Network => ASA => Router => Internet

The idea with this proposal is to have an edge router in charge of routing obviously directly plugged to the internet with 1 public IP address, then, an ASA with state full packet filtering and VPN capabilities in front of my local network.

My question is, how do I configure my ASA to be accessible from the internet to respond to the VPN requests?  If the ASA is the internet border device with the public IP address configured on one of its interfaces is quite simple, but with a router in between I’m kind of lost.  Should I perform 1 to 1 NAT at the edge router to point the public IP address directly to the ASA?  Or is there any particular port associated to the VPN traffic that I can configure on the edge router to pass only the VPN traffic to the ASA when VPN traffic is received?  Similar to what we do when we want http traffic going to one server and SMTP to a different server with one single public IP.

Thank you very much!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
david.tran
Level 4
Level 4
In response to Andrew Phirsov

‎01-15-2013 12:08 PM

very easy.  Let say your Internet Edge router has a public ip address of 1.1.1.1 and you want to terminate IPSec on the ASA but your ASA has a private IP address, here is what you do on the Internet router, assuming that your router has an IP address of 192.168.1.1 and the ASA "outside" interface has an IP address of 192.168.1.254:

interface F0/0

  description Internet_Facing

  ip nat outside

  ip add 1.1.1.1 255.255.255.252

interface F0/1

  description Internal_Facing

  ip address 192.168.1.1 255.255.255.0

  ip nat inside

ip nat inside source static udp 192.168.1.254 500 interface F0/0 500

ip nat inside source static udp 192.168.1.254 4500 interface F0/0 4500

ip nat inside source static esp 192.168.1.254 interface F0/0

Now, you can terminate IPSec on the IP address 1.1.1.1 from the outside world.

Easy right?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andrew Phirsov
Level 7
Level 7

‎01-15-2013 11:12 AM

I think you can enable ipsec over udp (on both asa and vpn-clients), and do static pat (on router) for port 4500/udp. 

Go to solution
david.tran
Level 4
Level 4
In response to Andrew Phirsov

‎01-15-2013 12:08 PM

very easy.  Let say your Internet Edge router has a public ip address of 1.1.1.1 and you want to terminate IPSec on the ASA but your ASA has a private IP address, here is what you do on the Internet router, assuming that your router has an IP address of 192.168.1.1 and the ASA "outside" interface has an IP address of 192.168.1.254:

interface F0/0

  description Internet_Facing

  ip nat outside

  ip add 1.1.1.1 255.255.255.252

interface F0/1

  description Internal_Facing

  ip address 192.168.1.1 255.255.255.0

  ip nat inside

ip nat inside source static udp 192.168.1.254 500 interface F0/0 500

ip nat inside source static udp 192.168.1.254 4500 interface F0/0 4500

ip nat inside source static esp 192.168.1.254 interface F0/0

Now, you can terminate IPSec on the IP address 1.1.1.1 from the outside world.

Easy right?

0 Helpful

Go to solution
Jesse Mendez
Level 1
Level 1
In response to david.tran

‎01-15-2013 12:25 PM

Hey, thank you very much for the quick reply.  It makes total sense and it is indeed very easy.  I was kind of lost in the fact that I should NAT the whole IP address or just a portion.  Thanks again!

0 Helpful

Go to solution
Jesse Mendez
Level 1
Level 1
In response to Andrew Phirsov

‎01-15-2013 12:26 PM

Thank you very much.  This is exactly what I needed to know !

0 Helpful
Customers Also Viewed These Support Documents