Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17021
Views
10
Helpful
15
Replies

Forward traffic VPN IPSec

Go to solution
pechdara pin
Level 1
Level 1

‎07-18-2014 07:04 PM - edited ‎02-21-2020 07:44 PM

Hi guy, I would like to raise up this topic for understand flow of VPN ipsec.
Assume i have 1 router 1921 and 1 ASA 5510 behind the router. I want to configure Remote Access  on ASA firewall by forward traffic form router( UDP port 500, and UDP port 4500). I have 1 public IP and I already configure NAT on router. Actually i have heard that IPsec can't traverse NAT. So if i want to configure VPN on ASA, it is possible to do that? Please all guy comment and offer your idea to me. Thank for your responding.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎07-18-2014 11:47 PM

Hi , 

 When you say , you have one Public IP address . Is this IP address is assigned to router interface or its unassigned separate IP address . 

 If its unassigned Public IP address , you can do Static NAT with ASA outside IP address to Public IP address on your router like below

 {100.100.x.x}fa0/0<-(R1)->fa0/1{192.168.100.1}<------->{192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}

ip nat inside source static 192.168.100.2 100.100.x.x

On this way you have complete IP to IP NAT . 

 

If you have got only single IP address which is assigned to router interface then you need to port nat as  said 

 

For VPN Gateways that run Cisco IOS Software Releases earlier than 12.2(13)T, the IPSec passthrough feature is needed on the router that performs PAT to allow Encapsulating Security Payload (ESP) through.

Note: This feature is known as IPSec through Network Address Translation (NAT) support in Software Advisory (registered customers only) .

In order to initiate the tunnel from the local (PATed) peer, no configuration is needed. In order to initiate the tunnel from the remote peer, these commands are needed:

  • ip nat inside source static esp inside_ip interface interface

  • ip nat inside source static udp inside_ip 500 interface interface 500

For VPN Gateways that run a Cisco IOS Software Release later than 12.2(13)T, IPSec traffic is encapsulated into User Data Protocol (UDP) port 4500 packets. This feature is known as IPSec NAT Transparency . In order to initiate the tunnel from the local (PATed) peer, no configuration is needed.

In order to initiate the tunnel from the remote peer, these commands are needed:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html

  • ip nat inside source static udp inside_ip 4500 interface interface 4500

  • ip nat inside source static udp inside_ip 500 interface interface 500

 

 

HTH

Sandy

View solution in original post

15 Replies 15

Go to solution
LJ Gabrillo
Level 5
Level 5

‎07-18-2014 09:54 PM

Hmmm...I think with your setup you cant have VPN setup on ASA considering if you want a VPN, ASA must use a public IP.

NAT Traversal is possible for IPSec actually. However, not the traversal the way you have imagined. NAT Traversal is typically used in split-tunnel topologies where in your setup. LAN access is through the IPSec tunnel, however, internet is through the ISP of the remote user.

Full tunnel as we know, requires both LAN and internet traffic to go through the tunnel. Internet is given by your enterprise router.

Anyway, here is the summary, your remote users must be able to reach that public IP and that public IP must be in the ASA.

Or better yet, configured IPSec remote access in the router :))
-though VPN Client is already EOL/EOS.

SSL-VPN is the thing now :D
 

 

BUT BUT BUT!
But in anycase try port forwarding your router's public IP to the ASA

ip nat inside source static tcp <ASA IP> 500 interface f0/1 500

ip nat inside source static tcp <ASA IP> 4500 interface f0/1 500

500/TCP -ISAKMP

4500/TCP -IPSec w/ NAT Traversal

interface f0/1 is router's WAN interface. See if that works :D

 

NOTE:: If ever you are thinking to use SSL-VPN, this protocol uses different ports :)

                 443/TCP -HTTPS and 443/UDP -DTLS

 

 

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎07-18-2014 11:47 PM

Hi , 

 When you say , you have one Public IP address . Is this IP address is assigned to router interface or its unassigned separate IP address . 

 If its unassigned Public IP address , you can do Static NAT with ASA outside IP address to Public IP address on your router like below

 {100.100.x.x}fa0/0<-(R1)->fa0/1{192.168.100.1}<------->{192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}

ip nat inside source static 192.168.100.2 100.100.x.x

On this way you have complete IP to IP NAT . 

 

If you have got only single IP address which is assigned to router interface then you need to port nat as  said 

 

For VPN Gateways that run Cisco IOS Software Releases earlier than 12.2(13)T, the IPSec passthrough feature is needed on the router that performs PAT to allow Encapsulating Security Payload (ESP) through.

Note: This feature is known as IPSec through Network Address Translation (NAT) support in Software Advisory (registered customers only) .

In order to initiate the tunnel from the local (PATed) peer, no configuration is needed. In order to initiate the tunnel from the remote peer, these commands are needed:

  • ip nat inside source static esp inside_ip interface interface

  • ip nat inside source static udp inside_ip 500 interface interface 500

For VPN Gateways that run a Cisco IOS Software Release later than 12.2(13)T, IPSec traffic is encapsulated into User Data Protocol (UDP) port 4500 packets. This feature is known as IPSec NAT Transparency . In order to initiate the tunnel from the local (PATed) peer, no configuration is needed.

In order to initiate the tunnel from the remote peer, these commands are needed:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html

  • ip nat inside source static udp inside_ip 4500 interface interface 4500

  • ip nat inside source static udp inside_ip 500 interface interface 500

 

 

HTH

Sandy

Go to solution
pechdara pin
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-20-2014 05:59 PM

Hi, Now I already connected to the VNP on ASA behind the router as you guide me with the link.
But I wonder why i can't  ping to my internal LAN.

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to pechdara pin

‎07-20-2014 10:57 PM

Hi 

From VPN machine you are not able to ping internal LAN ??

Use below command on your ASA

policy-map global_policy
    class inspection_default
     inspect icmp

 

HTH

Sandy

0 Helpful

Go to solution
pechdara pin
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-21-2014 12:41 AM

Hi,

I tried to type command as you told me, but it is still not work.

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to pechdara pin

‎07-21-2014 12:51 AM

Hi ,

 Can you share me your firewall config . 

 

HTH

Sandy

0 Helpful

Go to solution
pechdara pin
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-21-2014 01:22 AM

Hi,
please kindly have a look my configuration. Thank.

Preview file
4 KB
0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to pechdara pin

‎07-21-2014 04:34 AM

Hi , 

 Your global-policy is not mapped , use below command to map it .

(config)# service-policy global_policy global

Similarly security level is same for both inside & internal , so use below command to pass traffic between both interface .

 
(config)# same-security-traffic permit inter-interface

 

HTH

Sandy

0 Helpful

Go to solution
pechdara pin
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-21-2014 05:15 AM

Hi, please check again i already typed the command
(config)#same-security-traffic permit inter-interface

and the command
(config)#service-policy global_policy global
i already type this command, but it seems not work :(

please help me please
 

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to pechdara pin

‎07-21-2014 05:31 AM

Hi ,

 Open Webex meeting . have a check on this .

 

HTH

Sandy

0 Helpful

Go to solution
pechdara pin
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-21-2014 06:49 PM

Hi,
yeah i am sure can, but let me tell you briefly about my infrastructure. Currently, i just configure it on my GNS3 lab, because i used to configure on real Network at my organization but it's doesn't work, so i need to prepare it in GNS3 lab again,
before i implement on real network. That my point i would like to tell you.
Thank

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to pechdara pin

‎07-21-2014 08:24 PM

Hi ,

 it should work , deploy it on your infrastructure and let me know if any issue foreseen

 

HTH

Sandy 

 

0 Helpful

Go to solution
pechdara pin
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-21-2014 09:16 PM

hi
yeah, i would deploy it soon, but could please kindly give me your email,
because i can alert you immediately if it doesn't work. Thank.

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to pechdara pin

‎07-21-2014 09:32 PM

Hi

You could see that on my profile ..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents