Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Vpn clarification

Dears,

I have a query regarding Site to Site VPN setup between a Juniper SRX 3600 and Cisco asa.

We have a Cisco ASA and the client has a Juniper SRX 3600.

Scenario here is our end Cisco ASA outside interface is private ip (10.10.10.10) & Public ip(static one to one) mapping is being done at the perimeter router.

Client side they have direct public configured on the Juniper SRX 3600 with NAT-Trasversal disabled on the corresponding tunnel towards our side.

They have a strict policy to disable NAT-T which they wont enable it.So we have too disable NAT-T here on the tunnel.

The issue here is Phase-1 is coming up but phase 2 i dont see any IPSEC SA. 

In this scenario where our ASA behind a NAT device (router) with NAT-T disabled will the site to site vpn works ? Will the tunnel comes up disabling NAT-T? 

Any assistance will be helpfull.

9 REPLIES
Community Member

Vpn clarification

Any response would be highly appreciated thanks

Cisco Employee

Vpn clarification

HI shibu,

If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.

But it the edge router is doing a PAT than you have no option but to enable the NAT-t on the remote end.

Because NAT-T doesn't work with PAT.

Thanks

Jeet Kumar

Community Member

Vpn clarification

Hi Jeet,

Thanks for your response.

Pl see my response inline.

If your edge is doing a one to one NAT for the ASA outside interface than there should be no issue.

Shibu :    YES we do one to one NAT.

So you mean site to site vpn works fine with NAT-T disbled at both end.

&  One to one NAT configured on the perimeter device for the ASA private IP.  pl clarify

Community Member

Vpn clarification

Hi all,

Any update on this?  really appreciated

Cisco Employee

Vpn clarification

Hello,

A little clarification:

Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.

As for the NATing on the router, you need to add 2 static NAT statements to allow UDP 500 and UDP 4500 packets.

ip nat inside source static udp X.X.X.X 500 interface FastEthernet0/0 500

ip nat inside source static udp X.X.X.X 4500 interface FastEthernet0/0 4500

This is called Port Forwading and will pass any VPN traffic to the ASA.

If you implement static NATing without ports, all traffic going to the public ip of the router will go to the ASA.

If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.

HTH

Zaid Al-Kurdi

Community Member

Vpn clarification

Hello Zaid,

Thanks for your reply .

Here in the Perimeter router we have static nat configured  as below . not PAT with port numbers.

ip nat inside source static *.*.*.*  *.*.*.*

Q. Why is NAT-T needed?

A. In phase 2 and the last messages of phase1, the packets being sent between peers are encrypted ESP packets (IP-proto-50). So when an encrypted packet goes through a device running PAT, it will be dropped since it doesnt use port numbers. In these cases, NAT-T is used to send UDP 4500 packets instead of ESP packets. So, if you are behind a NAT device, you need to enable NAT-T.

Shibu :   Our ASA is behind a NAT device(Router) & configured static NAT as above.   I am bit confused about your statement which tells about PAT

As Mr.Jeet kumar mentioned above with out NAT-T ESP should work fine with static NAT.  Could you pl clarify here?

If you want to disable NAT-T, you can have the router become the termination point of the VPN instead of the ASA.

Shibu: We cannot make Router as the temination point as this is owned by providers datacentre.

Is there any way we can make the tunnel up with disabling NAT-T on both ends.   I am very badly needed a solution for this?

Thanks in advance

Community Member

Vpn clarification

Hi all,

Could someone give me clear clarity on this reqeust?  any response would be appreciated.

Thanks

Community Member

Vpn clarification

any response on this would be appreciated. thanks

Cisco Employee

Vpn clarification

Hello,

Now if you want to statically map the public IP of the router to the IP of the ASA, that would work.

However, this will make all traffic to that IP, not just VPN, go to the ASA. My suggestion was to allow only VPN traffic through.

This is totally up to you.

264
Views
0
Helpful
9
Replies
CreatePlease to create content