Solved

CISCO ASA 5505 behind NAT router

Posted on 2008-10-30
25
5,146 Views
Last Modified: 2010-10-07
Hello everyone,
  I am planning to buy 2 Cisco ASA5505 devices so that I can setup a site to site VPN between 2 branches. In each branch there is currently a ADSL router that provides internet to internal  users.
The DSL routers are running NAT.

I am wondering if the CIsco ASA 5505 can work as a VPN server, behind the NAT router.
Will the ipsec site to site vpn work through these DSL routers ?

Do I go ahead with the purchase ?
0
Comment
Question by:anarine
  • 12
  • 9
  • 3
  • +1
25 Comments
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Really depends on the 2 dsl routers that you have.

If they are cisco devices and you manage them you don't need the ASA's, as you can set up a site to site vpn on the routers (depends on IOS level).

Most other devices that I've seen have some sort of configuration option to allow VPN passthrough/traversal.

Other option you'd have is to turn bridging mode on on the dsl routers and let the firewalls handle the routing.

If you could provide more information about the dsl routers make and model I could give you a more specific answer.
0
 

Accepted Solution

by:
DAKARG earned 100 total points
Comment Utility
You need to put the DSL routers in bridged mode and assign the public IP directly to the ASA start doing your NAT on the ASA. Also in order for the site to site VPN to work correctly you need to have static IPs from your ISP.

The ASA 5505 at each site for site-to-site vpn is a workable solution, you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505
0
 

Author Comment

by:anarine
Comment Utility
If ip put the public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?
0
 

Author Comment

by:anarine
Comment Utility
If ip put the static public ip on the ASA5505 interface, will I still need to bridge the DSL routers ?

The DSL modem is Speedstream 5500
0
 
LVL 13

Expert Comment

by:Quori
Comment Utility
Yes. That will essentially turn the DSL router into a CSU/DSU.
0
 

Author Comment

by:anarine
Comment Utility
Darkag, you said "you just need to get the public IP on the ASA interface. There is no advantages to NATing on the DSL router, this can all be done with much better control in the ASA5505"
If I purchase a static ip and place this on the ASA5505 interface, will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

I'm not sure but maybe this person has had a similar problem ? -
http://www.experts-exchange.com/Security/Software_Firewalls/Q_21690643.html
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
If you have the speedstream in bridge mode  and therefore the ASA with the public address you don't have to worry about NAT traversal or vpn passthrough, as the dsl router effectively becomes a media convertor.
0
 

Author Comment

by:anarine
Comment Utility
I saw the option on the speedstream modem to change to Bridge mode. However when I click "bridge" there are no options to set and the DSL loses connection to the internet.
How is the bridge to be configured ?
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
You need the other devices in place when you convert to Bridge mode.
0
 

Author Comment

by:anarine
Comment Utility
I should be able to get static ip's for the sites.
If I cannot get the bridge to work what are my options ? Does this mean the ASA vpn will not work in my scenario ?
0
 

Expert Comment

by:DAKARG
Comment Utility
You are going to need static IPs on the ASA's in order to make the site-to-site VPN work. The site-to-site VPN will not work through the DSL Router NAT.

You can make a PC client to VPN server connection through the Router with NAT turned on but the site-to-site will not work.
0
 

Expert Comment

by:DAKARG
Comment Utility
Missed this question: will I need to bother with
whether or not the ADSL modems support NAT traversal or vpn passthrough ?

If you put the DSL router in Bridged mode you will not need to worry about the NAT traversal or vpn passthrough. In bridged mode it is really just a media converter, a little more to it but for simplicity purposes it will jut pass all traffic to the ASA.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:anarine
Comment Utility
My last question,
If I get static ip's for both sites, do I still need to bridge the DSL routers ? The ASA will have a public IP but the DSL router will still be in front.
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Yes you will still need to bridge the DSL routers.

The DSL routers become a DSL to ethernet convertor and all they'll do is convert from one media type to another.  The ASA's will then deal with the IP traffic/VPN's/routing etc.

You need the DSL routers, in bridged mode, to terminate the DSL connection and the ASA's to perform the VPN.
0
 

Author Comment

by:anarine
Comment Utility
I have a static public ip on the ASA device. The DSL in front of the ASA also has a public static ip.
The gateway of tha ASA is the the ip of the DSL.
Am I correct to assume that the DSL router is already in Bridged mode ?
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Depends, on the WAN interface did you select "RFC-2684 Bridged/IP", if so than yes.

The configuration guide for the speedstream can be found

http://www2.windstream.net/downloads/links/SpeedStream211.pdf

Page 33 is configuration info for the WAN connection

When you say static public address so you mean you manually entered the address or that it is the statis address assigned to you by your ISP?
0
 

Author Comment

by:anarine
Comment Utility
On the ASA I have the address assigned by the ISP. They have told me to assign this address to an internal device. The public ip on the ASA is x.x.x.216 and the ip on the DSL router is public x.x.x.217
Subnet 255.255.255.252

The DSL router they have provided is a ZHONE brand. I do not have access to the Web interface
on the router. Do you think it is bridged ?

0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Sounds like it is bridged, you should be all good to go
0
 

Author Comment

by:anarine
Comment Utility
Unfortunately it is not bridged, I discovered that the Internal server has a public ip itself.
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Zhone user manuals can be found at:

http://www.zhone.com/support/manuals/router_manuals

If you look for your Zhone model number on the above page you should find bridge configuration guidelines.  If you do not manage the device ask your ISP to switch it to bridged mode
0
 

Author Comment

by:anarine
Comment Utility
If my internal ISA server has a public IP then there would be no need to bridge the DSL I figure ?
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Depends if your internal server is getting the address via DHCP or you are manually assigning it.

If your internet access is working then you should be good to go.
0
 

Author Comment

by:anarine
Comment Utility
The IP is manually assigned. Have you heard of ADSLNATION's X-MODEM ?
0
 
LVL 5

Expert Comment

by:rexxus
Comment Utility
Not aware of it no sorry.
0
 

Author Comment

by:anarine
Comment Utility

One site is currently a dynamic public ip and the NAT is on the DSL router. The other site is
a static public ip and the NAT is on the internal server. I am hoping that if both sites have a static ip then there would be no NAT on the DSL, and no need to bridge, and the vpn will be established directly from one site to the other.  Thanks to all
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Does Ping Packet go through Trunk port 4 39
VLAN question 7 42
how to access my server 9 26
reserve ip based on mac addresses 6 68
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now