Site-to-site IPSec VPN through NAT

This post follows on from the first in this series and looks at how to modify the config if there is NAT along the way as well as reviewing a couple of the verification commands.

I’ve attached the full configs here.

Network Diagram

IPSec with NAT

Premise

A branch office with an ADSL connection would like to access corporate and local resources without running a local client on office machines. Split tunnelling is not required, all traffic must be routed back up to the corporate HQ. Only one static IP has been provided by the ADSL ISP.

Config

We’ll need to port forward UDP 500 (IKE) so that our corporate ASA can connect to the branch ASA. On the ADSL router we use the following NAT rules:

ip nat inside source list LAN interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500

You’ll see I’ve moved the B-End IP of the IPSec tunnel to the ADSL router so the A-End config doesn’t change. All I need to do is renumber the blue linknet to my chosen RFC1918 subnet of 192.168.1.0/24 and give my ASA a new default route matching the ADSL routers interface and all is well.

Testing

One thing which has bitten me in the past is that an IPSec tunnel won’t come up until you send some traffic down it. Since I’m doing this in GNS3 and VPCs, I’ll open up my crypto-map to allow ICMP so that I can bring up the tunnel with some pings.

A-END

access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp any 10.1.0.0 255.255.255.0

B-END

access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp 10.1.0.0 255.255.225.0 any

I also brought up a loopback with ip 8.8.8.8 on R1, to give my host on the otherside of the VPN something to ping. Finally I should say that I’m running OSPF on the two routers either side of the ‘public internet’ cloud, in order that the IPSec Peers have a route to either other.

First I had a look to see if my IPSec SA had come up:

A# show crypto ipsec sa

There are no ipsec sas

Hmm.

VPCS[1]> ping 8.8.8.8
8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 ttl=255 time=60.482 ms
8.8.8.8 icmp_seq=3 ttl=255 time=53.498 ms
8.8.8.8 icmp_seq=4 ttl=255 time=55.094 ms
8.8.8.8 icmp_seq=5 ttl=255 time=47.397 ms

IPSec SA Verification

After bringing up the tunnel by pinging 8.8.8.8 from a host behind the B-END ASA, I was able toverify it (apart from the ICMP Echo Replies I got) as follows:

A# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.0.2.6

      access-list OUTSIDE_CRYPTOMAP_10 extended permit ip any 10.1.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      current_peer: 192.0.2.129

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.0.2.6/500, remote crypto endpt.: 192.0.2.129/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C7F1AEC5
      current inbound spi : 9DE630E8

    inbound esp sas:
      spi: 0x9DE630E8 (2649108712)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4055039/28776)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xC7F1AEC5 (3354504901)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4193279/28776)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

A#

Here is how the B-END sees things:

B# show crypto ipsec sa                  
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1

      access-list OUTSIDE_CRYPTOMAP_10 extended permit ip 10.1.0.0 255.255.255.0 any 
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 192.0.2.6

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.1/500, remote crypto endpt.: 192.0.2.6/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 8E827434
      current inbound spi : 8471E0F8

    inbound esp sas:
      spi: 0x8471E0F8 (2222055672)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4147198/27959)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0007FFFF
    outbound esp sas:
      spi: 0x8E827434 (2390914100)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4285438/27959)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

B#

You can also check out the IKEV2 SAs like this:

A# show crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 89722291         192.0.2.6/500       192.0.2.129/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/3606 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.1.0.0/0 - 10.1.0.255/65535
          ESP spi in/out: 0xa8d47b04/0xfddbc217

 

B# show crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 77759211       192.168.1.1/500         192.0.2.6/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/3526 sec
Child sa: local selector  10.1.0.0/0 - 10.1.0.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0xfddbc217/0xa8d47b04

NAT-T

By default, an ASA will encapsulate both IKEV2 negotiation and the IPSec encrypted packets in UDP 500. If you want to use NAT-T and encapsulate the IPSec packets in UDP 4500 then oort forward UDP 4500 on the NAT router and enable NAT-T on the each ASA:

NATRouter(config)# ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
ASA(config)# crypto isakmp nat-traversal

13 thoughts on “Site-to-site IPSec VPN through NAT

  1. Israr Ahmad

    Good Article … I have a question as well. What software are you using to create network diagram? That is looking awesome.

    Reply
  2. Bill D

    I’m a visual learner in the extreme – not only was your diagram excellent, easy to read and understand, better by far than Cisco’s, but your text explanation with examples was spot-on. Excellent. I’ve not only bookmarked but printed for reference. This is a problem I have been fighting since before our senior network admin retired. I did make sense of the problem and solved it – at least mostly, before finding your explanation, but your post here proves my theories and fix were correct and will support my reports to the boss on why and how. It also helps prove to me that I can safely move forward with correcting the same issues on 3 of our other offices that use DSL providers. I spent a bit of time wondering – ok, works on cable, not on DSL, what’s different – the DSL modem is a NAT device, this subnet that won’t ping is PAT as it goes out, bingo.
    Thanks – and keep writing in a method that is not only technically accurate and covers the details, but is simple enough if it’s your first time on the topic it’s not hard to follow and understand. You’d make a good teacher.
    Bill

    Reply
  3. jiri

    Hi,
    I have problem with portforwarded ports:
    I have IPsec Tunnel between 2 cisco routers.
    When i set portforwarded port: ip nat inside source static tcp 192.168.10.207 101 WAN-IP 101.
    Then this ip address with same port :192.168.10.207:101 is unreachable via IPSec tunnel. When I disable it-it forks fine. I mean NAT doing something with this traffic, but I have an exception in NAT ACL
    ip access-list extended NAT
    deny ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255
    permit ip 192.168.10.0 0.0.0.255 any
    NAT acl used in : ip nat inside source list NAT interface GigabitEthernet0/0 overload
    Thanks for solutions.

    Reply
  4. diyan

    Hi,

    thanks for the tutorial, I have a question what if the B-side internet facing interface to the ADSL provider is a dynamic IP, what I know is, B-side ASA will be configured with peer IP pointing towards the A-side public IP, and the A-side ASA will be configured with dynamic L2L VPN, and tunnel will be built if packets are initiated or coming from the hosts behind the B-side ASA only, but will this scenario works?

    Thank you

    Reply
  5. JesusEM

    Thanks for your tutorial.

    Considering that we are a small business, Could you recommend us any cisco router that supports site-to-site IPSec VPN through NAT with a PPPoE internet connection?

    Thank you so much.
    Best regards.

    Reply
    1. Guy Morrell Post author

      Thanks. I drew it by hand using notability on an iPad with a stylus.

      Reply
  6. Muller

    Thanks for such beautifully explained scenario but i am unable to simulate this in GNS3,can you pls shade some light as to how i need to configure it specially the internet .

    Thanks once again and keep up the good work!

    Reply
  7. Rio Maulana

    Hi Guy, I am also running into the same problem you stated above. When I tried the concept on packet tracer and try to configure NAT Router and issue this command ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500 it shows
    % Invalid input detected at ‘^’ marker under the interface command. I am using cisco router running on Version 15.1

    Reply
  8. Ian

    Hi

    I found your article helpful, but what really caught my eye was your diagram. What application did you use to create it? I found it very attractive and refreshing.

    Ian

    Reply
  9. Emad ul haq

    Do we need nat-t on both ASA? i mean the asa with a direct public ip and the asa on pvt ip behind the dsl router, do they both need nat-t in the crypto map or just the asa behind dsl router?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *