How do i configure my ASA 5510 to allow IPSEC traffic through my router. I have a VPN device that is on the inside of my ASA 5510 that needs be able to create tunnels, so I need to allow the VPN PASSTHROUGH, however i am not certain on how to do this, I only have one external static IP address.
I know that
ESP protocal 50
AH protocal 51
UDP port 500 and 4500 need to allow traffic, but am a beginner with Cisco routers
Typical setup normally assign one (1) dedicated public IP to the router for to be used to direct VPN-traffic to the router.
When you say "..I only have one external static IP address", do you mean dedicated/unused Public IP, or Public IP that is also assigned to your PIX's outside interface IP?
If the sinle Public IP is also used by PIX, it sounds not possible.
The reason is, you have to do port-redirection to your router's private IP. The port redirection is to allow traffic from outside/internet to reach your router by sharing/using PIX's outside interface IP. But only TCP/UDP is supported. AH & ESP is not supported. The most you can do is to map the isakmp. But nothing will be working here with only isakmp available (no ah & esp).
I tried to do this (port redirection), both AH & ESP are rejected/invalid.
To answer your question, "I only have one external static IP address", what i mean is that i have one public IP that is assigned to the PIX outside interface IP.
Here's the thing, the External or public interface is a 69.x.x.x network and my internal device that the port need to be redirected to is a 172.x.x.x network. The tunnel needs to originate from the 172.x.x.x network and just flow or passthrough the PIX at 69.x.x.x.
If i have ESP and AH enabled and have UDP port 500 and 4500 shouldn't the tunnel work?
If works differently with port redirection when you use outside interface IP (public IP) compared to dedicated Public IP.
Your 69.x.x.x merely act like a proxy for the 172.x.x.x. All traffics destined for 172.x.x.x (I assumed this is private IP of 172.16.x.x range, or is it 172.x.x.x range of public IP?) from internet will hit the 69.x.x.x first, and this IP must know who/where to pass the session/connection with the what protocol.
Port redirection only support IP, and therefore no AH/ESP traffic can reach 172.x.x.x (except UDP 500/4500), and subsequently, no VPN session can take place.
Another thing is, when the VPN traffic is expected to use/originate from 172.x.x.x, does it mean the other end is doing the same port redirection as well so that both can see each other after stripping their masked public IP?
This is due to the nature of Private IP where it will be masked with Public IP when travelling through Internet/Public network, and will be stripped back to original private IP when it reached the other end that redirect/convert it to the actual destination of private IP (peer doing the same port redirection as well).
I tried to simulate this in lab, but it doesn't work (due to port redirection limitation of supporting esp/ah, but it works with dedicated public IP). Unless of course, if your 172.x.x.x is under the other range of valid Public IP, then this is possible - use no NAT).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...