07-18-2014 07:04 PM - edited 02-21-2020 07:44 PM
Hi guy, I would like to raise up this topic for understand flow of VPN ipsec.
Assume i have 1 router 1921 and 1 ASA 5510 behind the router. I want to configure Remote Access on ASA firewall by forward traffic form router( UDP port 500, and UDP port 4500). I have 1 public IP and I already configure NAT on router. Actually i have heard that IPsec can't traverse NAT. So if i want to configure VPN on ASA, it is possible to do that? Please all guy comment and offer your idea to me. Thank for your responding.
Solved! Go to Solution.
07-18-2014 11:47 PM
Hi ,
When you say , you have one Public IP address . Is this IP address is assigned to router interface or its unassigned separate IP address .
If its unassigned Public IP address , you can do Static NAT with ASA outside IP address to Public IP address on your router like below
{100.100.x.x}fa0/0<-(R1)->fa0/1{192.168.100.1}<------->{192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}
ip nat inside source static 192.168.100.2 100.100.x.x
On this way you have complete IP to IP NAT .
If you have got only single IP address which is assigned to router interface then you need to port nat as said
For VPN Gateways that run Cisco IOS Software Releases earlier than 12.2(13)T, the IPSec passthrough feature is needed on the router that performs PAT to allow Encapsulating Security Payload (ESP) through.
Note: This feature is known as IPSec through Network Address Translation (NAT) support in Software Advisory (registered customers only) .
In order to initiate the tunnel from the local (PATed) peer, no configuration is needed. In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static esp inside_ip interface interface
ip nat inside source static udp inside_ip 500 interface interface 500
For VPN Gateways that run a Cisco IOS Software Release later than 12.2(13)T, IPSec traffic is encapsulated into User Data Protocol (UDP) port 4500 packets. This feature is known as IPSec NAT Transparency . In order to initiate the tunnel from the local (PATed) peer, no configuration is needed.
In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static udp inside_ip 4500 interface interface 4500
ip nat inside source static udp inside_ip 500 interface interface 500
HTH
Sandy
07-18-2014 09:54 PM
Hmmm...I think with your setup you cant have VPN setup on ASA considering if you want a VPN, ASA must use a public IP.
NAT Traversal is possible for IPSec actually. However, not the traversal the way you have imagined. NAT Traversal is typically used in split-tunnel topologies where in your setup. LAN access is through the IPSec tunnel, however, internet is through the ISP of the remote user.
Full tunnel as we know, requires both LAN and internet traffic to go through the tunnel. Internet is given by your enterprise router.
Anyway, here is the summary, your remote users must be able to reach that public IP and that public IP must be in the ASA.
Or better yet, configured IPSec remote access in the router :))
-though VPN Client is already EOL/EOS.
SSL-VPN is the thing now :D
BUT BUT BUT!
But in anycase try port forwarding your router's public IP to the ASA
ip nat inside source static tcp <ASA IP> 500 interface f0/1 500
ip nat inside source static tcp <ASA IP> 4500 interface f0/1 500
500/TCP -ISAKMP
4500/TCP -IPSec w/ NAT Traversal
interface f0/1 is router's WAN interface. See if that works :D
NOTE:: If ever you are thinking to use SSL-VPN, this protocol uses different ports :)
443/TCP -HTTPS and 443/UDP -DTLS
07-18-2014 11:47 PM
Hi ,
When you say , you have one Public IP address . Is this IP address is assigned to router interface or its unassigned separate IP address .
If its unassigned Public IP address , you can do Static NAT with ASA outside IP address to Public IP address on your router like below
{100.100.x.x}fa0/0<-(R1)->fa0/1{192.168.100.1}<------->{192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}
ip nat inside source static 192.168.100.2 100.100.x.x
On this way you have complete IP to IP NAT .
If you have got only single IP address which is assigned to router interface then you need to port nat as said
For VPN Gateways that run Cisco IOS Software Releases earlier than 12.2(13)T, the IPSec passthrough feature is needed on the router that performs PAT to allow Encapsulating Security Payload (ESP) through.
Note: This feature is known as IPSec through Network Address Translation (NAT) support in Software Advisory (registered customers only) .
In order to initiate the tunnel from the local (PATed) peer, no configuration is needed. In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static esp inside_ip interface interface
ip nat inside source static udp inside_ip 500 interface interface 500
For VPN Gateways that run a Cisco IOS Software Release later than 12.2(13)T, IPSec traffic is encapsulated into User Data Protocol (UDP) port 4500 packets. This feature is known as IPSec NAT Transparency . In order to initiate the tunnel from the local (PATed) peer, no configuration is needed.
In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static udp inside_ip 4500 interface interface 4500
ip nat inside source static udp inside_ip 500 interface interface 500
HTH
Sandy
07-20-2014 05:59 PM
Hi, Now I already connected to the VNP on ASA behind the router as you guide me with the link.
But I wonder why i can't ping to my internal LAN.
07-20-2014 10:57 PM
Hi
From VPN machine you are not able to ping internal LAN ??
Use below command on your ASA
policy-map global_policy
class inspection_default
inspect icmp
HTH
Sandy
07-21-2014 12:41 AM
Hi,
I tried to type command as you told me, but it is still not work.
07-21-2014 12:51 AM
Hi ,
Can you share me your firewall config .
HTH
Sandy
07-21-2014 01:22 AM
07-21-2014 04:34 AM
Hi ,
Your global-policy is not mapped , use below command to map it .
(config)# service-policy global_policy global
Similarly security level is same for both inside & internal , so use below command to pass traffic between both interface .
(config)# same-security-traffic permit inter-interface
HTH
Sandy
07-21-2014 05:15 AM
Hi, please check again i already typed the command
(config)#same-security-traffic permit inter-interface
and the command
(config)#service-policy global_policy global
i already type this command, but it seems not work :(
please help me please
07-21-2014 05:31 AM
Hi ,
Open Webex meeting . have a check on this .
HTH
Sandy
07-21-2014 06:49 PM
Hi,
yeah i am sure can, but let me tell you briefly about my infrastructure. Currently, i just configure it on my GNS3 lab, because i used to configure on real Network at my organization but it's doesn't work, so i need to prepare it in GNS3 lab again,
before i implement on real network. That my point i would like to tell you.
Thank
07-21-2014 08:24 PM
Hi ,
it should work , deploy it on your infrastructure and let me know if any issue foreseen
HTH
Sandy
07-21-2014 09:16 PM
hi
yeah, i would deploy it soon, but could please kindly give me your email,
because i can alert you immediately if it doesn't work. Thank.
07-21-2014 09:32 PM
Hi
You could see that on my profile ..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: