Solved

CISCO ASA 5505 behind NAT router

Posted on 2008-10-30
25
5,289 Views
Last Modified: 2010-10-07
Hello everyone,
  I am planning to buy 2 Cisco ASA5505 devices so that I can setup a site to site VPN between 2 branches. In each branch there is currently a ADSL router that provides internet to internal  users.
The DSL routers are running NAT.

I am wondering if the CIsco ASA 5505 can work as a VPN server, behind the NAT router.
Will the ipsec site to site vpn work through these DSL routers ?

Do I go ahead with the purchase ?
0
Comment
Question by:anarine
  • 12
  • 9
  • 3
  • +1
25 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22840565
Really depends on the 2 dsl routers that you have.

If they are cisco devices and you manage them you don't need the ASA's, as you can set up a site to site vpn on the routers (depends on IOS level).

Most other devices that I've seen have some sort of configuration option to allow VPN passthrough/traversal.

Other option you'd have is to turn bridging mode on on the dsl routers and let the firewalls handle the routing.

If you could provide more information about the dsl routers make and model I could give you a more specific answer.
0
 

Accepted Solution

by:
DAKARG earned 100 total points
ID: 22841746
You need to put the DSL routers in bridged mode and assign the public IP directly to the ASA start doing your NAT on the ASA. Also in order for the site to site VPN to work correctly you need to have static IPs from your ISP.

The ASA 5505 at each site for site-to-site vpn is a workable solution, you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505
0
 

Author Comment

by:anarine
ID: 22842327
If ip put the public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:anarine
ID: 22842341
If ip put the static public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?

The DSL modem is Speedstream 5500
0
 
LVL 13

Expert Comment

by:Quori
ID: 22844886
Yes. That will essentially turn the DSL router into a CSU/DSU.
0
 

Author Comment

by:anarine
ID: 22845568
Darkag, you said "you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505"
If I purchase a static ip and place this on the ASA5505 interface, will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

I'm not sure but maybe this person has had a similar problem ? -
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21690643.html
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22846804
If you have the speedstream in bridge mode  and therefore the ASA with the public address you don't have to worry about NAT traversal or vpn passthrough, as the dsl router effectively becomes a media convertor.
0
 

Author Comment

by:anarine
ID: 22848824
I saw the option on the speedstream modem to change to Bridge mode. However when I click "bridge" there are no options to set and the DSL loses connection to the internet.
How is the bridge to be configured ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22849697
You need the other devices in place when you convert to Bridge mode.
0
 

Author Comment

by:anarine
ID: 22852459
I should be able to get static ip's for the sites.
If I cannot get the bridge to work what are my options ? Does this mean the ASA vpn will not work in my scenario ?
0
 

Expert Comment

by:DAKARG
ID: 22854488
You are going to need static IPs on the ASA's in order to make the site-to-site VPN work. The site-to-site VPN will not work through the DSL Router NAT.

You can make a PC client to VPN server connection through the Router with NAT turned on but the site-to-site will not work.
0
 

Expert Comment

by:DAKARG
ID: 22854528
Missed this question: will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

If you put the DSL router in Bridged mode you will not need to worry about the NAT traversal or vpn passthrough. In bridged mode it is really just a media converter, a little more to it but for simplicity purposes it will jut pass all traffic to the ASA.
0
 

Author Comment

by:anarine
ID: 22860735
My last question,
If I get static ip's for both sites, do I still need to bridge the DSL routers ? The ASA will have a public IP but the DSL router will still be in front.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22860988
Yes you will still need to bridge the DSL routers.

The DSL routers become a DSL to ethernet convertor and all they'll do is convert from one media type to another.  The ASA's will then deal with the IP traffic/VPN's/routing etc.

You need the DSL routers, in bridged mode, to terminate the DSL connection and the ASA's to perform the VPN.
0
 

Author Comment

by:anarine
ID: 22884904
I have a static public ip on the ASA device. The DSL in front of the ASA also has a public static ip.
The gateway of tha ASA is the the ip of the DSL.
Am I correct to assume that the DSL router is already in Bridged mode ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22891284
Depends, on the WAN interface did you select "RFC-2684 Bridged/IP", if so than yes.

The configuration guide for the speedstream can be found

http://www2.windstream.net/downloads/links/SpeedStream211.pdf

Page 33 is configuration info for the WAN connection

When you say static public address so you mean you manually entered the address or that it is the statis address assigned to you by your ISP?
0
 

Author Comment

by:anarine
ID: 22891516
On the ASA I have the address assigned by the ISP. They have told me to assign this address to an internal device. The public ip on the ASA is x.x.x.216 and the ip on the DSL router is public x.x.x.217
Subnet 255.255.255.252

The DSL router they have provided is a ZHONE brand. I do not have access to the Web interface
on the router. Do you think it is bridged ?

0
 
LVL 5

Expert Comment

by:rexxus
ID: 22894696
Sounds like it is bridged, you should be all good to go
0
 

Author Comment

by:anarine
ID: 22971366
Unfortunately it is not bridged, I discovered that the Internal server has a public ip itself.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22973052
Zhone user manuals can be found at:

http://www.zhone.com/support/manuals/router_manuals

If you look for your Zhone model number on the above page you should find bridge configuration guidelines.  If you do not manage the device ask your ISP to switch it to bridged mode
0
 

Author Comment

by:anarine
ID: 22974458
If my internal ISA server has a public IP then there would be no need to bridge the DSL I figure ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22975318
Depends if your internal server is getting the address via DHCP or you are manually assigning it.

If your internet access is working then you should be good to go.
0
 

Author Comment

by:anarine
ID: 22975504
The IP is manually assigned. Have you heard of ADSLNATION's X-MODEM ?
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22991589
Not aware of it no sorry.
0
 

Author Comment

by:anarine
ID: 22992989

One site is currently a dynamic public ip and the NAT is on the DSL router. The other site is
a static public ip and the NAT is on the internal server. I am hoping that if both sites have a static ip then there would be no NAT on the DSL, and no need to bridge, and the vpn will be established directly from one site to the other.  Thanks to all
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question