Tag Archives: VPN

Double NAT to allow IPSEC VPN on firewall behind router or firewall

On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address


Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as

This is the IP subnet that is hosted by the internet router/firewall. is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use

The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.

In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.

On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.


Site 1 (Home)                                                   Site 2 (Business)

Local GW:                                             Local GW:
Remote GW:                                      Remote GW:
Internal:                                Internal:
Remote:                                Remote:



Configure ASA for S2S IPSEC VPN

In the toolbar in the ASDM, select Wizards/VPN Wizards/Site-to-site VPN Wizard…

Step 1: Click Next on the Introduction screen.
Step 2: Enter the Peer IP Address for the remote site and ensure the VPN Access Interface is set to outside, click Next


Step 3: Browse the Local Network by clicking on the three to the right of the Local Network field.
Select inside-network and click on the Local Network button, then click OK
Enter the Remote Network IP/Class for the remote subnet, Example( then click Next


Step 4: Select Simple Configuration, enter the Pre-shared Key and click Next


Step 5: Exempt the Inside interface by marking the box with a checkmark and click Next


Step 6: Review the configuration and click Finish if everything is correct, click Back to make any changes needed.


Uncheck IKEv2 Enabled checkbox, then click Edit on the Connection Profile you just created.


Verify the appropriate IKE Policy is used in the Ipsec Settings/IKE v1 Settings/Encryption Algorithms, if not, click Manage and Add it.


Click Apply, then Save