Solved

CISCO ASA 5505 behind NAT router

Posted on 2008-10-30
25
5,495 Views
Last Modified: 2010-10-07
Hello everyone,
  I am planning to buy 2 Cisco ASA5505 devices so that I can setup a site to site VPN between 2 branches. In each branch there is currently a ADSL router that provides internet to internal  users.
The DSL routers are running NAT.

I am wondering if the CIsco ASA 5505 can work as a VPN server, behind the NAT router.
Will the ipsec site to site vpn work through these DSL routers ?

Do I go ahead with the purchase ?
0
Comment
Question by:anarine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
  • 3
  • +1
25 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22840565
Really depends on the 2 dsl routers that you have.

If they are cisco devices and you manage them you don't need the ASA's, as you can set up a site to site vpn on the routers (depends on IOS level).

Most other devices that I've seen have some sort of configuration option to allow VPN passthrough/traversal.

Other option you'd have is to turn bridging mode on on the dsl routers and let the firewalls handle the routing.

If you could provide more information about the dsl routers make and model I could give you a more specific answer.
0
 

Accepted Solution

by:
DAKARG earned 100 total points
ID: 22841746
You need to put the DSL routers in bridged mode and assign the public IP directly to the ASA start doing your NAT on the ASA. Also in order for the site to site VPN to work correctly you need to have static IPs from your ISP.

The ASA 5505 at each site for site-to-site vpn is a workable solution, you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505
0
 

Author Comment

by:anarine
ID: 22842327
If ip put the public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 

Author Comment

by:anarine
ID: 22842341
If ip put the static public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?

The DSL modem is Speedstream 5500
0
 
LVL 13

Expert Comment

by:Quori
ID: 22844886
Yes. That will essentially turn the DSL router into a CSU/DSU.
0
 

Author Comment

by:anarine
ID: 22845568
Darkag, you said "you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505"
If I purchase a static ip and place this on the ASA5505 interface, will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

I'm not sure but maybe this person has had a similar problem ? -
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21690643.html
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22846804
If you have the speedstream in bridge mode  and therefore the ASA with the public address you don't have to worry about NAT traversal or vpn passthrough, as the dsl router effectively becomes a media convertor.
0
 

Author Comment

by:anarine
ID: 22848824
I saw the option on the speedstream modem to change to Bridge mode. However when I click "bridge" there are no options to set and the DSL loses connection to the internet.
How is the bridge to be configured ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22849697
You need the other devices in place when you convert to Bridge mode.
0
 

Author Comment

by:anarine
ID: 22852459
I should be able to get static ip's for the sites.
If I cannot get the bridge to work what are my options ? Does this mean the ASA vpn will not work in my scenario ?
0
 

Expert Comment

by:DAKARG
ID: 22854488
You are going to need static IPs on the ASA's in order to make the site-to-site VPN work. The site-to-site VPN will not work through the DSL Router NAT.

You can make a PC client to VPN server connection through the Router with NAT turned on but the site-to-site will not work.
0
 

Expert Comment

by:DAKARG
ID: 22854528
Missed this question: will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

If you put the DSL router in Bridged mode you will not need to worry about the NAT traversal or vpn passthrough. In bridged mode it is really just a media converter, a little more to it but for simplicity purposes it will jut pass all traffic to the ASA.
0
 

Author Comment

by:anarine
ID: 22860735
My last question,
If I get static ip's for both sites, do I still need to bridge the DSL routers ? The ASA will have a public IP but the DSL router will still be in front.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22860988
Yes you will still need to bridge the DSL routers.

The DSL routers become a DSL to ethernet convertor and all they'll do is convert from one media type to another.  The ASA's will then deal with the IP traffic/VPN's/routing etc.

You need the DSL routers, in bridged mode, to terminate the DSL connection and the ASA's to perform the VPN.
0
 

Author Comment

by:anarine
ID: 22884904
I have a static public ip on the ASA device. The DSL in front of the ASA also has a public static ip.
The gateway of tha ASA is the the ip of the DSL.
Am I correct to assume that the DSL router is already in Bridged mode ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22891284
Depends, on the WAN interface did you select "RFC-2684 Bridged/IP", if so than yes.

The configuration guide for the speedstream can be found

http://www2.windstream.net/downloads/links/SpeedStream211.pdf

Page 33 is configuration info for the WAN connection

When you say static public address so you mean you manually entered the address or that it is the statis address assigned to you by your ISP?
0
 

Author Comment

by:anarine
ID: 22891516
On the ASA I have the address assigned by the ISP. They have told me to assign this address to an internal device. The public ip on the ASA is x.x.x.216 and the ip on the DSL router is public x.x.x.217
Subnet 255.255.255.252

The DSL router they have provided is a ZHONE brand. I do not have access to the Web interface
on the router. Do you think it is bridged ?

0
 
LVL 5

Expert Comment

by:rexxus
ID: 22894696
Sounds like it is bridged, you should be all good to go
0
 

Author Comment

by:anarine
ID: 22971366
Unfortunately it is not bridged, I discovered that the Internal server has a public ip itself.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22973052
Zhone user manuals can be found at:

http://www.zhone.com/support/manuals/router_manuals

If you look for your Zhone model number on the above page you should find bridge configuration guidelines.  If you do not manage the device ask your ISP to switch it to bridged mode
0
 

Author Comment

by:anarine
ID: 22974458
If my internal ISA server has a public IP then there would be no need to bridge the DSL I figure ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22975318
Depends if your internal server is getting the address via DHCP or you are manually assigning it.

If your internet access is working then you should be good to go.
0
 

Author Comment

by:anarine
ID: 22975504
The IP is manually assigned. Have you heard of ADSLNATION's X-MODEM ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22991589
Not aware of it no sorry.
0
 

Author Comment

by:anarine
ID: 22992989

One site is currently a dynamic public ip and the NAT is on the DSL router. The other site is
a static public ip and the NAT is on the internal server. I am hoping that if both sites have a static ip then there would be no NAT on the DSL, and no need to bridge, and the vpn will be established directly from one site to the other.  Thanks to all
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question