cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
0
Helpful
8
Replies

NAT and tunnel endpoints

cchughes
Level 1
Level 1

I have two ASA firewalls on different subnets, each with thier own internet connection.  An ipsec tunnel is setup between my company and another company that terminates on one of my ASA firewalls.  The remote end of the tunnel will not support a second tunnel endpoint for redundancy.

Because of this I was wondering if it is possible to route the packets that establish the tunnel out the second firewall and Simply NAT the source address to the address of my primary firewalls outside address.  The tunnel is setup to be established by interesting traffic originating from my company's side.

My ISP, in the event my primary connection goes down, will route packets destined for my tunnel endpoint to my second firewalls internet connection.  I figure if I can just NAT the tunnel endpoint address(destination address) to the assigned address on my second firewalls outside interface, that I could establish the tunnel this way. Anyone know if this is supported?  I know that about 10 years ago it wasnt but I heard it can be done now.

THanks.

1 Accepted Solution

Accepted Solutions

It should work.

I've seen it work like that at least in cisco equipment.

Also I think that if you see this problem with NAT, should be fixed by NAT-T (when the devices sense that there's a NAT device in the path, packets 5 and 6 for key-exchange go in UDP 4500).

It seems to be that it should work.


Federico.

View solution in original post

8 Replies 8

Can you add a diagram of what you want to do?


Federico.

Here ya go.  Green is the normal path/tunnel endpoint.  Red is a failure scenario where the ISP presents a route to the business partner via a sceondary internet/ASA.  Does NAT work with tunnel endpoints?

I understand now what you want to do but I'm having problems seeing it work.

For example....

The remote end will support a single VPN tunnel correct?

Then in order to allow the VPN communication when the primary Internet connection fails, the traffic should flow through the secondary ASA (but not establishing a second tunnel, instead using the same tunnel).

To accomplish this you want to NAT the IP of the second ASA to the IP of the primary ASA (but those are two separate internet connections).

I mean.... if you NAT the second ASA to the IP of the primary ASA, how would you control that the traffic be sent to the secondary ASA instead than to the first one?

Federico.

I was thinking about just pulling through the secondary ASA to the primary ASA (across the internal network but wasnt sure what rules I would need or if it would even work.  Instead I am thinking it would be better (if NAT works) to translate all packets to/from the business partner tunnel endpoint with the border router of my secondary internet connection.  The secondary ASA would have the tunnel endpoint configured and be un-aware of any translation.

The flow in a failure scenarion would look like this:

Primary internet connection fails

A new default route is introiduced via the secondary internet.

An internal client tries to access tunnel based resources

The default takes his traffic to the secondary ASA

The secondary ASA sees a match for interesting traffic and triggers an attempt to establish a tunnel

Tunnel initiation packets destined for the remote tunnel endpoint are seen by the Secondary border router

NAT kicks in and changes the source address to the address of the primary ASA outside interface

The business partner sees a tunnel initiation coming from a valid address and the tunnel is established.

Behind the scenes, my ISP tells me that if they sense a failure of my primary connection that they can route all packets bound for it to my secondary connection.

If both internet connections are from the same ISP and they can send you packets intended to the public IP of the primary ASA via either way, then I imagine it should work as you describe it.

The problem I was having is that the remote site need to see the tunnel established with the IP of the primary ASA (not matter which ASA is handling the tunnel), but if NAT kicks in and the ISP directs the traffic to the secondary ASA there should be no problem.

Federico.

The reason i am questioning it working is that at one time, these endpoint addresses were imbedded in the encrypted payload and it prevented tunnel establishment if the packet source address didnt match what was in the encrypted payload.  Do you know if that has changed?

My next step is to lab this.

It should work.

I've seen it work like that at least in cisco equipment.

Also I think that if you see this problem with NAT, should be fixed by NAT-T (when the devices sense that there's a NAT device in the path, packets 5 and 6 for key-exchange go in UDP 4500).

It seems to be that it should work.


Federico.

Great.  Thanks for the help Frederico!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: