01-15-2013 08:42 AM
Hello,
I have a design question more than a troubleshooting question and I hope you can help me with this or point me to a good resource where I can get this clear.
My topology is very simple:
Local Network => ASA => Router => Internet
The idea with this proposal is to have an edge router in charge of routing obviously directly plugged to the internet with 1 public IP address, then, an ASA with state full packet filtering and VPN capabilities in front of my local network.
My question is, how do I configure my ASA to be accessible from the internet to respond to the VPN requests? If the ASA is the internet border device with the public IP address configured on one of its interfaces is quite simple, but with a router in between I’m kind of lost. Should I perform 1 to 1 NAT at the edge router to point the public IP address directly to the ASA? Or is there any particular port associated to the VPN traffic that I can configure on the edge router to pass only the VPN traffic to the ASA when VPN traffic is received? Similar to what we do when we want http traffic going to one server and SMTP to a different server with one single public IP.
Thank you very much!
Solved! Go to Solution.
01-15-2013 12:08 PM
very easy. Let say your Internet Edge router has a public ip address of 1.1.1.1 and you want to terminate IPSec on the ASA but your ASA has a private IP address, here is what you do on the Internet router, assuming that your router has an IP address of 192.168.1.1 and the ASA "outside" interface has an IP address of 192.168.1.254:
interface F0/0
description Internet_Facing
ip nat outside
ip add 1.1.1.1 255.255.255.252
interface F0/1
description Internal_Facing
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source static udp 192.168.1.254 500 interface F0/0 500
ip nat inside source static udp 192.168.1.254 4500 interface F0/0 4500
ip nat inside source static esp 192.168.1.254 interface F0/0
Now, you can terminate IPSec on the IP address 1.1.1.1 from the outside world.
Easy right?
01-15-2013 11:12 AM
I think you can enable ipsec over udp (on both asa and vpn-clients), and do static pat (on router) for port 4500/udp.
01-15-2013 12:08 PM
very easy. Let say your Internet Edge router has a public ip address of 1.1.1.1 and you want to terminate IPSec on the ASA but your ASA has a private IP address, here is what you do on the Internet router, assuming that your router has an IP address of 192.168.1.1 and the ASA "outside" interface has an IP address of 192.168.1.254:
interface F0/0
description Internet_Facing
ip nat outside
ip add 1.1.1.1 255.255.255.252
interface F0/1
description Internal_Facing
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source static udp 192.168.1.254 500 interface F0/0 500
ip nat inside source static udp 192.168.1.254 4500 interface F0/0 4500
ip nat inside source static esp 192.168.1.254 interface F0/0
Now, you can terminate IPSec on the IP address 1.1.1.1 from the outside world.
Easy right?
01-15-2013 12:25 PM
Hey, thank you very much for the quick reply. It makes total sense and it is indeed very easy. I was kind of lost in the fact that I should NAT the whole IP address or just a portion. Thanks again!
01-15-2013 12:26 PM
Thank you very much. This is exactly what I needed to know !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide