IPsec VPN terminate behind NAT router

Unanswered Question
Nov 29th, 2009

Hi netpros,


The intended setup is for a Cisco ASA5520, sitting behind a internet facing router (cisco 3825), to terminate a IPSec VPN l2l tunnel.


The static NAT from the ASA's private interface to a public IP address is performed by the 3825.


Testing have shown that the remote site is seeing the ASA's private interface as peer IP address instead of the public one and stopping the phase 1 negotiation from being completed.


Is there a way to get around this issue?


Kind regards,

GO

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Sun, 11/29/2009 - 21:01

As long as the ASA's outside interface IP address is NAT'ed to a routeable IP address, I can't see any way that the remote device would see the internal NAT IP.  Are you using static NAT or some type of policy or dynamic NAT?

glenn.ong Sun, 11/29/2009 - 21:39

Yup, the ASA's outside interface IP address is statically NAT-ed to a single, routeable IP address by the 3825 router in front.


The remote device can see the incoming connection coming from the public IP. But for some reason, it's seeing the ASA's outside interface private IP in the 'Main mode peer ID'


Does this have anything to do with not specifically defining a 'crypto isakmp identity' in the ASA's config?


All feedback is welcome.


Patrick0711 Mon, 11/30/2009 - 12:14

Right, the ISAKMP Identity address will be the ASA's private IP address...which shouldn't be a problem.  The remote device is going to generate it's peer reference hash value using the identity address that was sent by your device. The remote device should do a pre-shared key lookup based on the public IP address in the ISAKMP header.  What kind of device is being used on the remote end?


Things to check:


1.) Is the remote device using ISAKMP identity addresses?

2.) Is the remote device configured to peer with the public IP of the ASA (as it should be)?



If possible, post some debugs.

glenn.ong Mon, 01/11/2010 - 23:21

would like to continue this thread again, wish I could do this earlier but was on annual leave.


Thanks Patrick for clarifying my concern, good to hear that it's not a topology issue.


The remote end is a freeswan/openswan running on a Linux box. The peering IP address is definitely correct (public IP of ASA NAT-ed by the 3825 router infront) and the isakmp identity address is also set to be this same IP (probably the issue here?).


Attached is the isakmp debug output from my end (initiating end). 20.20.20.20 is the remote end, 192.168.1.7 is the ASA's outside interface ip before being NAT-ed.


All feedback welcome. thanks.

Actions

This Discussion