Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1144
Views
5
Helpful
3
Replies

Site-to-site did NOT require port forwarding

jthunderbird
Level 1
Level 1

‎04-16-2020 06:53 PM

I have a hub and spoke environment with a bunch of ASA 5506-X devices. I was under the impression that for a site-to-site VPN between a user (behind a residential internet connection) and my public IP hub ASA, that the private space ASA would require port forwarding on UDP 500 and 4500 to the ASA so I had my users accomplish this.

 

One of them commented that he did not have to turn on port forwarding and he still had access across the VPN. So I went ahead and turned mine off to test it and sure enough I do not need it either. I assume this is because my ASA is initiating the session and the public ASA is responding. Is there a way to force this behaviour so I can have all of my guys turn off port forwarding entirely? I googled and only came up with EasyVPN solutions but I am not using EasyVPN, just a plain old ipsec tunnel with tunnel-groups.

 

The crypto config from one of my spoke ASAs:

 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal XXX-01
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec profile XXX-PROF
set ikev2 ipsec-proposal XXX-01
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 25
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 10800
crypto ikev2 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

 

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎04-16-2020 07:21 PM

Hi

Are you using route based vpn (tunnel interface) or policy based (commands crypto map)?

If using VTI (route based vpn), you can force the hub to be responder only and make sure only spokes can start Ike negotiation.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book/sec-ike-respond-only.html

With policy based, the first that tries to send traffic matching crypto map acl will initiate ike. Usually, only spoke starts sending traffic and not the inverse except there are some kind of polling devices or monitoring...

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jthunderbird
Level 1
Level 1
In response to Francesco Molino

‎04-17-2020 07:26 AM

That looks like exactly what I need except for one small detail... I have 2 cores connected to each other (one in the northern part of the country and the other southern). Spokes connect to the closest hub to them and the hubs are connected to each other.

 

That command is in the crypto config so I would image both of my hubs become responders only which means the two hubs would never initiate a connection which each other.

0 Helpful

jthunderbird
Level 1
Level 1
In response to jthunderbird

‎04-17-2020 07:40 AM

I suppose I could just make another profile. I will give that a shot and mark your answer as correct if that works. Thanks for the reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card