VPN Pass-through

terrancemacdonald · ‎10-20-2006

How do i configure my ASA 5510 to allow IPSEC traffic through my router. I have a VPN device that is on the inside of my ASA 5510 that needs be able to create tunnels, so I need to allow the VPN PASSTHROUGH, however i am not certain on how to do this, I only have one external static IP address.

I know that

ESP protocal 50

AH protocal 51

UDP port 500 and 4500 need to allow traffic, but am a beginner with Cisco routers

Any asssitance would be welcomed

a.kiprawih · ‎10-21-2006

Typical setup normally assign one (1) dedicated public IP to the router for to be used to direct VPN-traffic to the router.

When you say "..I only have one external static IP address", do you mean dedicated/unused Public IP, or Public IP that is also assigned to your PIX's outside interface IP?

If the sinle Public IP is also used by PIX, it sounds not possible.

The reason is, you have to do port-redirection to your router's private IP. The port redirection is to allow traffic from outside/internet to reach your router by sharing/using PIX's outside interface IP. But only TCP/UDP is supported. AH & ESP is not supported. The most you can do is to map the isakmp. But nothing will be working here with only isakmp available (no ah & esp).

I tried to do this (port redirection), both AH & ESP are rejected/invalid.

HTH

AK

a.kiprawih · ‎10-21-2006

But if you have dedicated Public IP to be mapped to your internal VPN router, you can do this:

ASA:

- mapped router private IP to public IP

ASA(config)#static (inside,outside) xx.xx.xx.100 yy.yy.yy.10 netmask 255.255.255.255

where:

xx.xx.xx.100 - Public IP for router

yy.yy.yy.10 - Private IP for router

- allow ah, esp & isakmp to pass through ASA and reach VPN router (use ACL on outside interface):

ASA(config)#access-list outside permit ah any host xx.xx.xx.100

ASA(config)#access-list outside permit esp any host xx.xx.xx.100

ASA(config)#access-list outside permit udp any host xx.xx.xx.100 eq isakmp

ASA(config)#access-list outside permit icmp any host xx.xx.xx.100 --> icmp@ping to test reachability from outside/internet to vpn router

HTH

AK

terrancemacdonald · ‎10-21-2006

When you say dedicated Public IP do you mean a "static Public IP address?

TM

terrancemacdonald · ‎10-21-2006

AK,

To answer your question, "I only have one external static IP address", what i mean is that i have one public IP that is assigned to the PIX outside interface IP.

Here's the thing, the External or public interface is a 69.x.x.x network and my internal device that the port need to be redirected to is a 172.x.x.x network. The tunnel needs to originate from the 172.x.x.x network and just flow or passthrough the PIX at 69.x.x.x.

If i have ESP and AH enabled and have UDP port 500 and 4500 shouldn't the tunnel work?

TM

a.kiprawih · ‎10-21-2006

If works differently with port redirection when you use outside interface IP (public IP) compared to dedicated Public IP.

Your 69.x.x.x merely act like a proxy for the 172.x.x.x. All traffics destined for 172.x.x.x (I assumed this is private IP of 172.16.x.x range, or is it 172.x.x.x range of public IP?) from internet will hit the 69.x.x.x first, and this IP must know who/where to pass the session/connection with the what protocol.

Port redirection only support IP, and therefore no AH/ESP traffic can reach 172.x.x.x (except UDP 500/4500), and subsequently, no VPN session can take place.

Another thing is, when the VPN traffic is expected to use/originate from 172.x.x.x, does it mean the other end is doing the same port redirection as well so that both can see each other after stripping their masked public IP?

This is due to the nature of Private IP where it will be masked with Public IP when travelling through Internet/Public network, and will be stripped back to original private IP when it reached the other end that redirect/convert it to the actual destination of private IP (peer doing the same port redirection as well).

I tried to simulate this in lab, but it doesn't work (due to port redirection limitation of supporting esp/ah, but it works with dedicated public IP). Unless of course, if your 172.x.x.x is under the other range of valid Public IP, then this is possible - use no NAT).

HTH

AK