×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Vpn clarification

Unanswered Question
Dec 26th, 2013
User Badges:

Dears,



I have a query regarding Site to Site VPN setup between a Juniper SRX 3600 and Cisco asa.



We have a Cisco ASA and the client has a Juniper SRX 3600.



Scenario here is our end Cisco ASA outside interface is private ip (10.10.10.10) & Public ip(static one to one) mapping is being done at the perimeter router.



Client side they have direct public configured on the Juniper SRX 3600 with NAT-Trasversal disabled on the corresponding tunnel towards our side.



They have a strict policy to disable NAT-T which they wont enable it.So we have too disable NAT-T here on the tunnel.



The issue here is Phase-1 is coming up but phase 2 i dont see any IPSEC SA. 




In this scenario where our ASA behind a NAT device (router) with NAT-T disabled will the site to site vpn works ? Will the tunnel comes up disabling NAT-T? 




Any assistance will be helpfull.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Shibu1978 Thu, 12/26/2013 - 11:00
User Badges:

Any response would be highly appreciated thanks

Jeet Kumar Thu, 12/26/2013 - 11:25
User Badges:
  • Cisco Employee,

HI shibu,


If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.


But it the edge router is doing a PAT than you have no option but to enable the NAT-t on the remote end.



Because NAT-T doesn't work with PAT.



Thanks

Jeet Kumar

Shibu1978 Thu, 12/26/2013 - 11:33
User Badges:

Hi Jeet,


Thanks for your response.


Pl see my response inline.



If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.


Shibu :    YES we do one to one NAT.

So you mean site to site vpn works fine with NAT-T disbled at both end.

&  One to one NAT configured on the perimeter device for the ASA private IP.  pl clarify

Shibu1978 Sat, 12/28/2013 - 03:55
User Badges:

Hi all,


Any update on this?  really appreciated

zalkurdi Sat, 12/28/2013 - 05:57
User Badges:
  • Cisco Employee,

Hello,


A little clarification:

Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.


As for the NATing on the router, you need to add 2 static NAT statements to allow UDP 500 and UDP 4500 packets.


ip nat inside source static udp X.X.X.X 500 interface FastEthernet0/0 500

ip nat inside source static udp X.X.X.X 4500 interface FastEthernet0/0 4500


This is called Port Forwading and will pass any VPN traffic to the ASA.


If you implement static NATing without ports, all traffic going to the public ip of the router will go to the ASA.


If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.


HTH

Zaid Al-Kurdi

Shibu1978 Sat, 12/28/2013 - 07:35
User Badges:

Hello Zaid,


Thanks for your reply .


Here in the Perimeter router we have static nat configured  as below . not PAT with port numbers.


ip nat inside source static *.*.*.*  *.*.*.*



Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.



Shibu :   Our ASA is behind a NAT device(Router) & configured static NAT as above.   I am bit confused about your statement which tells about PAT


As Mr.Jeet kumar mentioned above with out NAT-T ESP should work fine with static NAT.  Could you pl clarify here?




If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.


Shibu: We cannot make Router as the temination point as this is owned by providers datacentre.



Is there any way we can make the tunnel up with disabling NAT-T on both ends.   I am very badly needed a solution for this?



Thanks in advance

Shibu1978 Sat, 12/28/2013 - 09:28
User Badges:

Hi all,


Could someone give me clear clarity on this reqeust?  any response would be appreciated.


Thanks

Shibu1978 Sat, 12/28/2013 - 21:41
User Badges:

any response on this would be appreciated. thanks

zalkurdi Sun, 12/29/2013 - 23:33
User Badges:
  • Cisco Employee,

Hello,


Now if you want to statically map the public IP of the router to the IP of the ASA, that would work.

However, this will make all traffic to that IP, not just VPN, go to the ASA. My suggestion was to allow only VPN traffic through.

This is totally up to you.

Actions

This Discussion