cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6704
Views
0
Helpful
5
Replies

IPsec VPN terminate behind NAT router

glenn.ong
Level 1
Level 1

Hi netpros,

The intended setup is for a Cisco ASA5520, sitting behind a internet facing router (cisco 3825), to terminate a IPSec VPN l2l tunnel.

The static NAT from the ASA's private interface to a public IP address is performed by the 3825.

Testing have shown that the remote site is seeing the ASA's private interface as peer IP address instead of the public one and stopping the phase 1 negotiation from being completed.

Is there a way to get around this issue?

Kind regards,

GO

5 Replies 5

Patrick0711
Level 3
Level 3

As long as the ASA's outside interface IP address is NAT'ed to a routeable IP address, I can't see any way that the remote device would see the internal NAT IP.  Are you using static NAT or some type of policy or dynamic NAT?

Yup, the ASA's outside interface IP address is statically NAT-ed to a single, routeable IP address by the 3825 router in front.

The remote device can see the incoming connection coming from the public IP. But for some reason, it's seeing the ASA's outside interface private IP in the 'Main mode peer ID'

Does this have anything to do with not specifically defining a 'crypto isakmp identity' in the ASA's config?

All feedback is welcome.


Right, the ISAKMP Identity address will be the ASA's private IP address...which shouldn't be a problem.  The remote device is going to generate it's peer reference hash value using the identity address that was sent by your device. The remote device should do a pre-shared key lookup based on the public IP address in the ISAKMP header.  What kind of device is being used on the remote end?

Things to check:

1.) Is the remote device using ISAKMP identity addresses?

2.) Is the remote device configured to peer with the public IP of the ASA (as it should be)?

If possible, post some debugs.

would like to continue this thread again, wish I could do this earlier but was on annual leave.

Thanks Patrick for clarifying my concern, good to hear that it's not a topology issue.

The remote end is a freeswan/openswan running on a Linux box. The peering IP address is definitely correct (public IP of ASA NAT-ed by the 3825 router infront) and the isakmp identity address is also set to be this same IP (probably the issue here?).

Attached is the isakmp debug output from my end (initiating end). 20.20.20.20 is the remote end, 192.168.1.7 is the ASA's outside interface ip before being NAT-ed.

All feedback welcome. thanks.

Hi,

NAT-T (IPSec over NAT-T) to be enabled to achieve this, since it is a 5 year old discussion, hope it should be done by now...

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/ike.html#wp1052899

 

Regards,

Keshava Raju

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: