Site2Site VPN with a ASA behind a NAT Device

Unanswered Question
Aug 1st, 2010


I need to setup a IPSec VPN tunnel, the far end site ASA is behind Cisco 7200 series Router and is acting as a NAT device for Cisco ASA. The config is fine on both the ends but we are still not able to establish a VPN tunnel, i don't see anything in Debug on my side.

Is it possibe to have Site2Site VPN tunnel behind a NAT device.

The Peer IP which is provided to me is the Router (cisco 7200 Series) outside IP which is NAT to a private IP on the outside interface of ASA.



I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
connect2world Sun, 08/01/2010 - 20:46

yes, it is possible. Use a access list to deny those traffic that need to go thru the NAT device.If the peer is IP is a.b.c.d make sure in your ip nat pool access-list of the NAT device, you deny it.

Eg.On the NAT device config:

ip nat inside source list 100

access-list 100 deny   ip  host asa_external_ip host  a.b.c.d <- deny statement

access-list 100 remark ^ Permit vpn tunnel traffic without getting natted ^

access-list 100 permit ip any any



Hope this help.

Jitendriya Athavale Sun, 08/01/2010 - 21:48

take care of the following

peer ip both public

7200 should do a one to pne nat for asa outside ip (static)

crypto acls should match on both ends - so in ur case it will be private to private

configure nat traversal

nat exemtion for crypto traffic on both ends - but i dont think u r doing nat on asa as 7200 is anyway doing nat

make sure you have these ports opened on all 3 devices

udp 500

esp 50

udp 4500

on asa u can give sysopt connection permit-vpn

run packet-tracer on asa and see where it is getting dropped

Upneetsaini_2 Mon, 08/02/2010 - 09:02

Thanks for the quick help folks

Bit more description on the problem

Side A:

Router (Public IP) (A.A.A.A)



Firewall ASA (Private IP) (P.P.P.P)







The Config on Router

ip nat inside source static P.P.P.P A.A.A.A

and ASA has the following

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer B.B.B.B
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal

tunnel-group B.B.B.B type ipsec-l2l

tunnel-group B.B.B.B ipsec-attributes
pre-shared-key *

access-list outside_cryptomap extended permit tcp object-group OUR_END_INTERNAL object-group CLIENT_END _INTERNAL

access-list inside_nat0_outbound extended permit ip object-group OUR_END_INTERNAL

Side B:

Firewall (Public IP) (B.B.B.B)

And on this firewall its Opposite to the above and already about 20 VPN tunnels are already up and running on this side



Rahul Govindan Mon, 08/02/2010 - 09:13

so you are not able to establish vpn tunnel right. Can you see if you get any debugs at all on any of the ASAs? try initiating from your ASA and see if you see some debugs atleast on where its failing.

deb cry isa sa 127 should do. term mon if you using a monitor session to show debugs.

Jitendriya Athavale Mon, 08/02/2010 - 09:14

try the following

crypto isakmp nat-traversal

also i see the nonat and crypto acl look different in asa, one has ip and the other has object group name. can you please check if both of them are the same

connect2world Mon, 08/02/2010 - 18:18

Hi Upneet,

I think your VPN end point should terminate at the router instead of the firewall. From your config statements of the ASA, it seems like you are terminating at firewall. It make more sense to have a terminating point on the external interface of the router rather than move it to an internal firewall.Use this link as a guide to configuring an IOS router VPN tunnel.


This Discussion