NAT incoming VPN connection to Firewalls outside interface

MrPrince
MrPrince used Ask the Experts™
on
Hi,

I have a client whos recently purchased a Cisco 2811 to place in front of their ASA firewall to act as a perimeter router. Their Firewall terminates their VPN connection and now since the perimeter router is in place the firewalls Outside interface is no longer internet facing. How do I NAT through an IPSEC VPN connection to the firewall? They dont want to move the VPN termination to the 2811. Also to make matters worse they only have one statically assigned IP.

Ive done this before but simply NATd a whole IP address through since that client had plenty to spare&

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are you saying that the one statically assigned IP address is now used by the router's outside interface to talk with the ISP?  Asking this because you said they only have one IP.

Author

Commented:
Correct. Strange getting only one, but it's a case of their ISP issuing a static mapping through their DHCP servers. This is TELUS btw.
I do not see how you can do this as the NATing on the router will change the hash and thus kill the IPSec tunnel.  I would tell your client that they need to get with their ISP and aquire a point to point that they currently have as well as a second small block that they can use to create IPSec tunnel.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
So there's no way to foward IPSEC traffic to the external interface of the ASA? I did do this before a simple static NAT rule similar to:

ip nat inside source static [external PIX IP] [External routable IP]

What about something like:

ip nat inside source static tcp [external PIX IP] [IPSEC Protocol(s)] interface FastEthernet0 [IPSEC Protocol(s)]
You could try, but the packet is being changed in the NAT process and this would change the hash and I believe that the IPSec devices will drop that packets response.

Author

Commented:
Would that nat statement be right then? is the protocol IPSEC or would it someting else?
the above nat statement is not going to work because ipsec is comprised of udp and/or tcp, plus possibly protocol 50 and 51, depending on your config. you can port forward/nat the tcp and udp but not the esp (50) or ah (51), because they dont have ports like tcp and udp.

so you would need to nat all traffic from one ip to another and this will cause ipsec to fail. you need to get the public address on the firewall interface, or get some more addresses.

Author

Commented:
Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial