Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall

KB ID 0001428

Problem

I got asked to put in a VPN for a client, this week, it went from a simple site to site, to a site to site with a Fortigate firewall at one end, to a VPN from and ASA to a Fortigate ‘through’ another ASA. 

VPN through an ASA Firewall

It’s been a few years since I had to tunnel  ‘through’ a firewall, and experience tells me, if you don’t have control of BOTH ends of a new VPN tunnel, anything that stops the tunnel coming up, MUST be my fault. So I thought I’d build it on my test bench, (admittedly without a Fortigate, but thankfully that’s not my problem, so I used another ASA instead.) This is what I built.

VPN though a Firewall Topology

Note: The routers are just there, so I can ping the other site to test the tunnel.

Solution

So what I’m worried about, is how to configure the ASA in the middle (The Corporate Perimeter Firewall). This is not an exercise in setting up the VPNs, if that’s what you require, then see the link at the bottom of the page.

There are FIVE things you need to do;

  • Create a Static (One-To-One) NAT so that the ASA that has a private IP on its outside interface, (192.168.2.1) has a PUBLIC IP mapped to it, (I’m using 1.1.1.3).
  • Allow UDP 500 (ISAKMP) from the ASA (1.1.1.1) to the ASA (192.168.2.1)
  • Allow UDP 4500 (NAT-TRAVERSAL) from the ASA (1.1.1.1) to the ASA (192.168.2.1)
  • Allow UDP 500 (ISAKMP) from the ASA (192.168.2.1) to the ASA (1.1.1.1)
  • Allow UDP 4500 (NAT-TRAVERSAL) from the ASA (192.168.2.1) to the ASA (1.1.1.1)

That’s It! You DON’T need to allow ESP or AH, (protocols 50 and 51,) nor do you need to enable ‘ipsec-pass-through’. I’ve brought up the tunnel with both IKEv1 and IKEv2.

Config;

!
object network OBJ-ASA-SITE-1
 host 1.1.1.1
object network OBJ-ASA-SITE-2
 host 192.168.2.1
 nat (inside,outside) static 1.1.1.3
!
access-list outbound extended permit udp object OBJ-ASA-SITE-2 object OBJ-ASA-SITE-1 eq isakmp
access-list outbound extended permit udp object OBJ-ASA-SITE-2 object OBJ-ASA-SITE-1 eq 4500
!
access-list inbound extended permit udp object OBJ-ASA-SITE-1 object OBJ-ASA-SITE-2 eq isakmp
access-list inbound extended permit udp object OBJ-ASA-SITE-1 object OBJ-ASA-SITE-2 eq 4500
!
access-group inbound in interface outside
access-group outbound in interface inside
!

WARNING: Read the following article before executing the access-group commands;

Cisco ASA – ‘access-group’ Warning

 

Related Articles, References, Credits, or External Links

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

Cisco ASA5500 Site to Site VPN from ASDM

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Author: PeteLong

Share This Post On

2 Comments

  1. Nice one! I did not know that you would only require that phase-1 part through and ESP would take care of itself somehow. Something on the router side that is often forgotten is that when building IPSec tunnel the router on the other side should be including the private pre-NAT’s IP in the identity of the isakmp profile.

    Post a Reply
    • If you think about it – the phase 1 tunnel establishes, then two IPSEC tunnels are created ‘within’ that tunnel (each with its own SPI), the firewall does not actually see any ESP traffic (the one in the middle).

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *