Solved

CISCO ASA 5505 behind NAT router

Posted on 2008-10-30
25
5,189 Views
Last Modified: 2010-10-07
Hello everyone,
  I am planning to buy 2 Cisco ASA5505 devices so that I can setup a site to site VPN between 2 branches. In each branch there is currently a ADSL router that provides internet to internal  users.
The DSL routers are running NAT.

I am wondering if the CIsco ASA 5505 can work as a VPN server, behind the NAT router.
Will the ipsec site to site vpn work through these DSL routers ?

Do I go ahead with the purchase ?
0
Comment
Question by:anarine
  • 12
  • 9
  • 3
  • +1
25 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22840565
Really depends on the 2 dsl routers that you have.

If they are cisco devices and you manage them you don't need the ASA's, as you can set up a site to site vpn on the routers (depends on IOS level).

Most other devices that I've seen have some sort of configuration option to allow VPN passthrough/traversal.

Other option you'd have is to turn bridging mode on on the dsl routers and let the firewalls handle the routing.

If you could provide more information about the dsl routers make and model I could give you a more specific answer.
0
 

Accepted Solution

by:
DAKARG earned 100 total points
ID: 22841746
You need to put the DSL routers in bridged mode and assign the public IP directly to the ASA start doing your NAT on the ASA. Also in order for the site to site VPN to work correctly you need to have static IPs from your ISP.

The ASA 5505 at each site for site-to-site vpn is a workable solution, you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505
0
 

Author Comment

by:anarine
ID: 22842327
If ip put the public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?
0
 

Author Comment

by:anarine
ID: 22842341
If ip put the static public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?

The DSL modem is Speedstream 5500
0
 
LVL 13

Expert Comment

by:Quori
ID: 22844886
Yes. That will essentially turn the DSL router into a CSU/DSU.
0
 

Author Comment

by:anarine
ID: 22845568
Darkag, you said "you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505"
If I purchase a static ip and place this on the ASA5505 interface, will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

I'm not sure but maybe this person has had a similar problem ? -
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21690643.html
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22846804
If you have the speedstream in bridge mode  and therefore the ASA with the public address you don't have to worry about NAT traversal or vpn passthrough, as the dsl router effectively becomes a media convertor.
0
 

Author Comment

by:anarine
ID: 22848824
I saw the option on the speedstream modem to change to Bridge mode. However when I click "bridge" there are no options to set and the DSL loses connection to the internet.
How is the bridge to be configured ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22849697
You need the other devices in place when you convert to Bridge mode.
0
 

Author Comment

by:anarine
ID: 22852459
I should be able to get static ip's for the sites.
If I cannot get the bridge to work what are my options ? Does this mean the ASA vpn will not work in my scenario ?
0
 

Expert Comment

by:DAKARG
ID: 22854488
You are going to need static IPs on the ASA's in order to make the site-to-site VPN work. The site-to-site VPN will not work through the DSL Router NAT.

You can make a PC client to VPN server connection through the Router with NAT turned on but the site-to-site will not work.
0
 

Expert Comment

by:DAKARG
ID: 22854528
Missed this question: will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

If you put the DSL router in Bridged mode you will not need to worry about the NAT traversal or vpn passthrough. In bridged mode it is really just a media converter, a little more to it but for simplicity purposes it will jut pass all traffic to the ASA.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:anarine
ID: 22860735
My last question,
If I get static ip's for both sites, do I still need to bridge the DSL routers ? The ASA will have a public IP but the DSL router will still be in front.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22860988
Yes you will still need to bridge the DSL routers.

The DSL routers become a DSL to ethernet convertor and all they'll do is convert from one media type to another.  The ASA's will then deal with the IP traffic/VPN's/routing etc.

You need the DSL routers, in bridged mode, to terminate the DSL connection and the ASA's to perform the VPN.
0
 

Author Comment

by:anarine
ID: 22884904
I have a static public ip on the ASA device. The DSL in front of the ASA also has a public static ip.
The gateway of tha ASA is the the ip of the DSL.
Am I correct to assume that the DSL router is already in Bridged mode ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22891284
Depends, on the WAN interface did you select "RFC-2684 Bridged/IP", if so than yes.

The configuration guide for the speedstream can be found

http://www2.windstream.net/downloads/links/SpeedStream211.pdf

Page 33 is configuration info for the WAN connection

When you say static public address so you mean you manually entered the address or that it is the statis address assigned to you by your ISP?
0
 

Author Comment

by:anarine
ID: 22891516
On the ASA I have the address assigned by the ISP. They have told me to assign this address to an internal device. The public ip on the ASA is x.x.x.216 and the ip on the DSL router is public x.x.x.217
Subnet 255.255.255.252

The DSL router they have provided is a ZHONE brand. I do not have access to the Web interface
on the router. Do you think it is bridged ?

0
 
LVL 5

Expert Comment

by:rexxus
ID: 22894696
Sounds like it is bridged, you should be all good to go
0
 

Author Comment

by:anarine
ID: 22971366
Unfortunately it is not bridged, I discovered that the Internal server has a public ip itself.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22973052
Zhone user manuals can be found at:

http://www.zhone.com/support/manuals/router_manuals

If you look for your Zhone model number on the above page you should find bridge configuration guidelines.  If you do not manage the device ask your ISP to switch it to bridged mode
0
 

Author Comment

by:anarine
ID: 22974458
If my internal ISA server has a public IP then there would be no need to bridge the DSL I figure ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22975318
Depends if your internal server is getting the address via DHCP or you are manually assigning it.

If your internet access is working then you should be good to go.
0
 

Author Comment

by:anarine
ID: 22975504
The IP is manually assigned. Have you heard of ADSLNATION's X-MODEM ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22991589
Not aware of it no sorry.
0
 

Author Comment

by:anarine
ID: 22992989

One site is currently a dynamic public ip and the NAT is on the DSL router. The other site is
a static public ip and the NAT is on the internal server. I am hoping that if both sites have a static ip then there would be no NAT on the DSL, and no need to bridge, and the vpn will be established directly from one site to the other.  Thanks to all
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup NAT/PAT question 3 42
Trunk and Port Security 4 42
RDP through VPN in firewall vs remote desktop gateway service 13 18
clear arp 1 13
Let’s list some of the technologies that enable smooth teleworking. 
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now