One Public IP address for Two Local IP address for VPN

Unanswered Question
Aug 15th, 2007
User Badges:

Hi,


I have a VPN 3015 used for WEBVPN connections, and an ASA 5540 used for IPSEC connections.

I use the same public IP address for both.

The VPN 3015 and the ASA 5540 are behind a PIX 525, on a DMZ.


I have done this on the PIX 525:

static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0


static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0


static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0


It works fine for the webvpn connections to the vpn3015, and it works fine for the ipsec connections to the ASA 5540 but only for IPSEC over TCP, but not for IPSEC over UDP

I think the problem is the ESP protocol.


any help?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
myoucef Wed, 08/15/2007 - 07:47
User Badges:

Hi,


yes I know this, but how can I add the protocol ESP in the static command????

myoucef Thu, 08/16/2007 - 04:52
User Badges:

No CCIE security or CCSP guy can help me??



Jon Marshall Thu, 08/16/2007 - 05:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Not CCIE security or CCSP but i don't think you can do this. port forwarding only works on TCP and UDP ports because in effect ESP does not have a port number at all but a protocol number.


So unless you can do a static statement where you don't define TCP/UDP ports i don't think this will work.


Do you not have any spare public IP addresses ?


Jon

JORGE RODRIGUEZ Thu, 08/16/2007 - 07:19
User Badges:
  • Green, 3000 points or more

have you tried inbound acl in asa pointing to public_address allowing esp-50 and ah-51, give that a try and test.

myoucef Thu, 08/16/2007 - 08:05
User Badges:

Hi,


The ASA 5540 is in a DMZ behind a PIX 525, and I added the acl to permit isakmp and esp.


on the PIX 525, I added the following commands:

static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0


static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0


static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0


It works fine for https and ipsec over ipsec, for ipsec over udp the vpn client can connect and cant do anythings (like ping or others), when I add on the PIX teh command:

static (DMZ,outside)public_addresslocal_address_for_ASA5540 netmask 255.255.255.255 0 0

it works now for ipsec over udp, for ipsec over tcp, but not for the https (it works only if I do the clear xlate I used first webvpn), and if there is another vpn client with ipsec over udp, it works for ipsec over udp but not for the new webvpn connection.


myoucef Thu, 08/16/2007 - 09:20
User Badges:

The easy solution is to use two public addresses, but the problem is that I want my clieusers to use only one DNS public name for both webvpn and IPSEC connections.


The reason I oo not use the ASA 5540 for both webvpn and IPsec connections, is that the ASA 5540 has not a licence for Webvpn, it is why I use the VPN 3015 for Webvpn.



myoucef Fri, 08/17/2007 - 07:45
User Badges:

I know that we can put ASA 5540 and VPN Concentrator in VPN Load balancing.


If I do this, can the VPN cluster tells that this is a webvpn connection and thus it gives it to the VPN concentrator 3015, and this is IPSEC Connection and it gives it to the ASA 5540???



Actions

This Discussion