NAT and tunnel endpoints

Answered Question
Sep 28th, 2010

I have two ASA firewalls on different subnets, each with thier own internet connection.  An ipsec tunnel is setup between my company and another company that terminates on one of my ASA firewalls.  The remote end of the tunnel will not support a second tunnel endpoint for redundancy.

Because of this I was wondering if it is possible to route the packets that establish the tunnel out the second firewall and Simply NAT the source address to the address of my primary firewalls outside address.  The tunnel is setup to be established by interesting traffic originating from my company's side.

My ISP, in the event my primary connection goes down, will route packets destined for my tunnel endpoint to my second firewalls internet connection.  I figure if I can just NAT the tunnel endpoint address(destination address) to the assigned address on my second firewalls outside interface, that I could establish the tunnel this way. Anyone know if this is supported?  I know that about 10 years ago it wasnt but I heard it can be done now.

THanks.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 2 months ago

It should work.

I've seen it work like that at least in cisco equipment.

Also I think that if you see this problem with NAT, should be fixed by NAT-T (when the devices sense that there's a NAT device in the path, packets 5 and 6 for key-exchange go in UDP 4500).

It seems to be that it should work.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cchughes Tue, 09/28/2010 - 08:05

Here ya go.  Green is the normal path/tunnel endpoint.  Red is a failure scenario where the ISP presents a route to the business partner via a sceondary internet/ASA.  Does NAT work with tunnel endpoints?

Federico Coto F... Tue, 09/28/2010 - 08:58

I understand now what you want to do but I'm having problems seeing it work.

For example....

The remote end will support a single VPN tunnel correct?

Then in order to allow the VPN communication when the primary Internet connection fails, the traffic should flow through the secondary ASA (but not establishing a second tunnel, instead using the same tunnel).

To accomplish this you want to NAT the IP of the second ASA to the IP of the primary ASA (but those are two separate internet connections).

I mean.... if you NAT the second ASA to the IP of the primary ASA, how would you control that the traffic be sent to the secondary ASA instead than to the first one?

Federico.

cchughes Tue, 09/28/2010 - 09:34

I was thinking about just pulling through the secondary ASA to the primary ASA (across the internal network but wasnt sure what rules I would need or if it would even work.  Instead I am thinking it would be better (if NAT works) to translate all packets to/from the business partner tunnel endpoint with the border router of my secondary internet connection.  The secondary ASA would have the tunnel endpoint configured and be un-aware of any translation.

The flow in a failure scenarion would look like this:

Primary internet connection fails

A new default route is introiduced via the secondary internet.

An internal client tries to access tunnel based resources

The default takes his traffic to the secondary ASA

The secondary ASA sees a match for interesting traffic and triggers an attempt to establish a tunnel

Tunnel initiation packets destined for the remote tunnel endpoint are seen by the Secondary border router

NAT kicks in and changes the source address to the address of the primary ASA outside interface

The business partner sees a tunnel initiation coming from a valid address and the tunnel is established.

Behind the scenes, my ISP tells me that if they sense a failure of my primary connection that they can route all packets bound for it to my secondary connection.

Federico Coto F... Tue, 09/28/2010 - 09:56

If both internet connections are from the same ISP and they can send you packets intended to the public IP of the primary ASA via either way, then I imagine it should work as you describe it.

The problem I was having is that the remote site need to see the tunnel established with the IP of the primary ASA (not matter which ASA is handling the tunnel), but if NAT kicks in and the ISP directs the traffic to the secondary ASA there should be no problem.

Federico.

cchughes Tue, 09/28/2010 - 10:14

The reason i am questioning it working is that at one time, these endpoint addresses were imbedded in the encrypted payload and it prevented tunnel establishment if the packet source address didnt match what was in the encrypted payload.  Do you know if that has changed?

My next step is to lab this.

Correct Answer
Federico Coto F... Wed, 09/29/2010 - 09:34

It should work.

I've seen it work like that at least in cisco equipment.

Also I think that if you see this problem with NAT, should be fixed by NAT-T (when the devices sense that there's a NAT device in the path, packets 5 and 6 for key-exchange go in UDP 4500).

It seems to be that it should work.


Federico.

Actions

This Discussion