One Public IP address for Two Local IP address for VPN

myoucef · ‎08-15-2007

Hi,

I have a VPN 3015 used for WEBVPN connections, and an ASA 5540 used for IPSEC connections.

I use the same public IP address for both.

The VPN 3015 and the ASA 5540 are behind a PIX 525, on a DMZ.

I have done this on the PIX 525:

static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0

static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0

static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0

It works fine for the webvpn connections to the vpn3015, and it works fine for the ipsec connections to the ASA 5540 but only for IPSEC over TCP, but not for IPSEC over UDP

I think the problem is the ESP protocol.

any help?

Thanks

rigoberto.cintron · ‎08-15-2007

You need to forward IP protocol 50 (ESP) and UDP 500 (ISAKMP).

myoucef · ‎08-15-2007

Hi,

yes I know this, but how can I add the protocol ESP in the static command????

myoucef · ‎08-16-2007

No CCIE security or CCSP guy can help me??

Jon Marshall · ‎08-16-2007

Hi

Not CCIE security or CCSP but i don't think you can do this. port forwarding only works on TCP and UDP ports because in effect ESP does not have a port number at all but a protocol number.

So unless you can do a static statement where you don't define TCP/UDP ports i don't think this will work.

Do you not have any spare public IP addresses ?

Jon

JORGE RODRIGUEZ · ‎08-16-2007

have you tried inbound acl in asa pointing to public_address allowing esp-50 and ah-51, give that a try and test.

Jorge Rodriguez

myoucef · ‎08-16-2007

Hi,

The ASA 5540 is in a DMZ behind a PIX 525, and I added the acl to permit isakmp and esp.

on the PIX 525, I added the following commands:

static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0

static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0

static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0

It works fine for https and ipsec over ipsec, for ipsec over udp the vpn client can connect and cant do anythings (like ping or others), when I add on the PIX teh command:

static (DMZ,outside)public_addresslocal_address_for_ASA5540 netmask 255.255.255.255 0 0

it works now for ipsec over udp, for ipsec over tcp, but not for the https (it works only if I do the clear xlate I used first webvpn), and if there is another vpn client with ipsec over udp, it works for ipsec over udp but not for the new webvpn connection.

palomoj · ‎08-16-2007

You need to use static one to one NAT entry for ASA and punch the necessary holes in the outside ACL for the traffic. You can still use static PAT for VPN3K but you could also use a separate static one to one if you want.

rigoberto.cintron · ‎08-16-2007

You need 2 public addresses.

palomoj · ‎08-16-2007

exactly what I said about static one to one NAT entries, obviously different IP's from pix outside interface

myoucef · ‎08-16-2007

The easy solution is to use two public addresses, but the problem is that I want my clieusers to use only one DNS public name for both webvpn and IPSEC connections.

The reason I oo not use the ASA 5540 for both webvpn and IPsec connections, is that the ASA 5540 has not a licence for Webvpn, it is why I use the VPN 3015 for Webvpn.

palomoj · ‎08-16-2007

Like the other person already stated you can't PAT ESP

myoucef · ‎08-17-2007

I know that we can put ASA 5540 and VPN Concentrator in VPN Load balancing.

If I do this, can the VPN cluster tells that this is a webvpn connection and thus it gives it to the VPN concentrator 3015, and this is IPSEC Connection and it gives it to the ASA 5540???