Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One Public IP address for Two Local IP address for VPN

Hi,

I have a VPN 3015 used for WEBVPN connections, and an ASA 5540 used for IPSEC connections.

I use the same public IP address for both.

The VPN 3015 and the ASA 5540 are behind a PIX 525, on a DMZ.

I have done this on the PIX 525:

static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0

static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0

static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0

It works fine for the webvpn connections to the vpn3015, and it works fine for the ipsec connections to the ASA 5540 but only for IPSEC over TCP, but not for IPSEC over UDP

I think the problem is the ESP protocol.

any help?

Thanks

12 REPLIES
New Member

Re: One Public IP address for Two Local IP address for VPN

You need to forward IP protocol 50 (ESP) and UDP 500 (ISAKMP).

New Member

Re: One Public IP address for Two Local IP address for VPN

Hi,

yes I know this, but how can I add the protocol ESP in the static command????

New Member

Re: One Public IP address for Two Local IP address for VPN

No CCIE security or CCSP guy can help me??

Hall of Fame Super Blue

Re: One Public IP address for Two Local IP address for VPN

Hi

Not CCIE security or CCSP but i don't think you can do this. port forwarding only works on TCP and UDP ports because in effect ESP does not have a port number at all but a protocol number.

So unless you can do a static statement where you don't define TCP/UDP ports i don't think this will work.

Do you not have any spare public IP addresses ?

Jon

Re: One Public IP address for Two Local IP address for VPN

have you tried inbound acl in asa pointing to public_address allowing esp-50 and ah-51, give that a try and test.

New Member

Re: One Public IP address for Two Local IP address for VPN

Hi,

The ASA 5540 is in a DMZ behind a PIX 525, and I added the acl to permit isakmp and esp.

on the PIX 525, I added the following commands:

static (DMZ,outside) tcp public_address https local_address_for_VPN3015 https netmask 255.255.255.255 0 0

static (DMZ,outside) udp public_address isakmp local_address_for_ASA5540 isakmp netmask 255.255.255.255 0 0

static (DMZ,outside) tcp public_address 10000 local_address_for_ASA5540 10000 netmask 255.255.255.255 0 0

It works fine for https and ipsec over ipsec, for ipsec over udp the vpn client can connect and cant do anythings (like ping or others), when I add on the PIX teh command:

static (DMZ,outside)public_addresslocal_address_for_ASA5540 netmask 255.255.255.255 0 0

it works now for ipsec over udp, for ipsec over tcp, but not for the https (it works only if I do the clear xlate I used first webvpn), and if there is another vpn client with ipsec over udp, it works for ipsec over udp but not for the new webvpn connection.

New Member

Re: One Public IP address for Two Local IP address for VPN

You need to use static one to one NAT entry for ASA and punch the necessary holes in the outside ACL for the traffic. You can still use static PAT for VPN3K but you could also use a separate static one to one if you want.

New Member

Re: One Public IP address for Two Local IP address for VPN

You need 2 public addresses.

New Member

Re: One Public IP address for Two Local IP address for VPN

exactly what I said about static one to one NAT entries, obviously different IP's from pix outside interface

New Member

Re: One Public IP address for Two Local IP address for VPN

The easy solution is to use two public addresses, but the problem is that I want my clieusers to use only one DNS public name for both webvpn and IPSEC connections.

The reason I oo not use the ASA 5540 for both webvpn and IPsec connections, is that the ASA 5540 has not a licence for Webvpn, it is why I use the VPN 3015 for Webvpn.

New Member

Re: One Public IP address for Two Local IP address for VPN

Like the other person already stated you can't PAT ESP

New Member

Re: One Public IP address for Two Local IP address for VPN

I know that we can put ASA 5540 and VPN Concentrator in VPN Load balancing.

If I do this, can the VPN cluster tells that this is a webvpn connection and thus it gives it to the VPN concentrator 3015, and this is IPSEC Connection and it gives it to the ASA 5540???

195
Views
0
Helpful
12
Replies