https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097319#M133643 <P>Hi the link is too old. i mean they running version 7. where at the moment 9.x. even the nat statement is different.</P> Tue, 01 Aug 2017 15:22:02 GMT Sheraz.Salim 2017-08-01T15:22:02Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097315#M133633 <P>Hi here is the problem.</P> <P></P> <P>Router1&nbsp; SITE1--------- INTERNET ---------SITE2&nbsp;&nbsp; ASA------Router2.</P> <P></P> <P>wanted to setup a VPN site to site vpn between the ROUTER1 and ROUTER2. however as there is a ASA between. is it possible. do not want to configure a VPN on ASA but wanted to configure a vpn on Router2.</P> <P></P> <P></P> <P>router1</P> <P>crypto isakmp policy 1<BR />&nbsp;encr aes 256<BR />&nbsp;hash sha512<BR />&nbsp;authentication pre-share<BR />&nbsp;group 5<BR />crypto isakmp key cisco12345 address 209.165.201.254<BR />crypto ipsec transform-set VPN esp-aes esp-sha512-hmac<BR />&nbsp;mode tunnel<BR />crypto map VPN 1 ipsec-isakmp<BR />&nbsp;set peer 209.165.201.254<BR />&nbsp;set transform-set VPN<BR />&nbsp;match address 100<BR />&nbsp;crypto map VPN</P> <P>show access-list<BR />Extended IP access list 100<BR />&nbsp;&nbsp;&nbsp; 20 permit udp any any eq non500-isakmp<BR />&nbsp;&nbsp;&nbsp; 30 permit udp any any eq isakmp<BR />&nbsp;&nbsp;&nbsp; 40 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255</P> <P></P> <P></P> <P>Router2</P> <P>crypto isakmp policy 1<BR />&nbsp;encr aes 256<BR />&nbsp;hash sha512<BR />&nbsp;authentication pre-share<BR />&nbsp;group 5<BR />crypto isakmp key cisco12345 address 209.165.200.1<BR />crypto ipsec transform-set VPN esp-aes esp-sha512-hmac<BR />&nbsp;mode tunnel<BR />crypto map VPN 1 ipsec-isakmp<BR />&nbsp;set peer 209.165.200.1<BR />&nbsp;set transform-set VPN<BR />&nbsp;match address 100<BR />&nbsp;crypto map VPN</P> <P>#show access-lists<BR />Extended IP access list 100<BR />&nbsp;&nbsp;&nbsp; 10 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255<BR />&nbsp;&nbsp;&nbsp; 20 permit udp any any eq non500-isakmp<BR />&nbsp;&nbsp;&nbsp; 30 permit udp any any eq isakmp</P> <P></P> <P></P> <P>I gave a spare public ip to ROUTER2 what config do i have to make on firewall. what nat. policy nat please hlep</P> <P></P> <P></P> <P></P> <P></P> <P></P> <P></P> Tue, 12 Mar 2019 09:45:38 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097315#M133633 Sheraz.Salim 2019-03-12T09:45:38Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097316#M133635 <P>Hi,</P> <P></P> <P><G class="gr_ gr_22 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-ins replaceWithoutSep" id="22" data-gr-id="22">Yes</G> it is possible.</P> <P></P> <P>You need to make ASA as a VPN <G class="gr_ gr_46 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del" id="46" data-gr-id="46">passthrough</G> device.</P> <P></P> <P>You need to allow UDP 500,4500 and ESP traffic on the ASA for the two VPN peers.</P> <P></P> <P>More info on this link:</P> <P></P> <P>http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/63881-ipsec-pix70-nat.html</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Mon, 31 Jul 2017 16:05:18 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097316#M133635 Aditya Ganjoo 2017-07-31T16:05:18Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097317#M133639 <P>Hi&nbsp;sherazrose,</P> <P></P> <P>You need to configure one to one NAT for routers public IP&nbsp;and allow traffic from WAN to LAN for these ports and protocols. Let me know the router private IP to help you with the configuration.</P> Tue, 01 Aug 2017 15:19:44 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097317#M133639 Spooster IT Services 2017-08-01T15:19:44Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097318#M133642 <P>hi what will be the nat statment</P> <P></P> <P>nat (inside,outside) source static INTERNAL EXTERNAL</P> <P>or</P> <P></P> <P>nat (inside,outside) static PUBLIC-IPADDRESS</P> Tue, 01 Aug 2017 15:20:53 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097318#M133642 Sheraz.Salim 2017-08-01T15:20:53Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097319#M133643 <P>Hi the link is too old. i mean they running version 7. where at the moment 9.x. even the nat statement is different.</P> Tue, 01 Aug 2017 15:22:02 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097319#M133643 Sheraz.Salim 2017-08-01T15:22:02Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097320#M133644 <P>Configuration will be like the following:-</P> <P><SPAN>object network&nbsp;ROUTER2</SPAN><BR /><SPAN>&nbsp;host &lt;Private IP of router&gt;<BR />nat (inside,outside) static&nbsp;209.165.201.254</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>object network&nbsp;ROUTER1<BR /><SPAN>&nbsp;host&nbsp;209.165.200.1</SPAN></SPAN></P> <P><SPAN>object-group service VPN-SERVICES udp<BR /> port-object eq isakmp<BR /> port-object eq 4500<BR />!<BR />access-list outside_access_in extended permit udp object ROUTER1&nbsp;object&nbsp;ROUTER2 object-group VPN-SERVICES&nbsp;<BR />access-list outside_access_in extended permit esp object ROUTER1 object ROUTER2<BR /></SPAN></P> Tue, 01 Aug 2017 15:31:03 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097320#M133644 Spooster IT Services 2017-08-01T15:31:03Z https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097321#M133646 <P>Hi Sherazrose,</P> <P></P> <P>See my comment above for sample configuration</P> Tue, 01 Aug 2017 17:29:49 GMT https://community.cisco.com/t5/network-security/asa-behind-router-vpn/m-p/3097321#M133646 Spooster IT Services 2017-08-01T17:29:49Z