Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3515
Views
0
Helpful
3
Replies

VPN and Port Forwarding of UDP 4500

douiriothmane
Level 1
Level 1

‎11-26-2015 03:01 PM - edited ‎03-11-2019 11:57 PM

Hi Guys,

I have an ASA 5555 where I had port forwarding configured, I am redirecting UDP 4500 from outside to an internal server. In fact, I have some access points on different remote sites that need to communicate with their controller using UDP/4500 (the controller is in my LAN)

I tried to configure a site to site VPN with another remote ASA but it did not work. I have an error saying that port 4500 can not be opened on the outside interface.

I'm suspecting that this is caused by the port forwarding rule already in place. I would like to know if there is any way to make the site to site VPN while still keeping the port forwaring rule for UDP/4500.

Thank you in advance

Regards,

Labels:
0 Helpful
3 Replies 3

bhavsha2
Cisco Employee
Cisco Employee

‎11-26-2015 11:04 PM

Hello,

I believe there is a NAT traversal is happening for the Site to site vpn where the external interface on either would be getting translated. 

I suspect the port forwarding you would be doing on the external interface ip address to which the NAT traversal would be mapping the ip address to port 4500 UDP.

2 things could be done

1) Change the port forwarding to a different pool ip address rather than the interface ip. In this case I am assuming that you are doing nat with the Interface ip

2) Configure the port forwarding such that the traffic is initiated on 4510 and then map to 4500 . 

Currently you would be having the port forwarding rule to be initiated on port 4500 and then the ip address would be getting translated.

Regards,

Bhavik 

0 Helpful

Karsten Iwen
VIP
VIP

‎11-26-2015 11:20 PM

completely untested, but if you disable NAT-traversal, then perhaps the ASA doesn't need the port udp/4500 any more:

no crypto isakmp nat-traversal

But then there are no clients any more allowed to behind a NAT. You don't have any spare external IP for the forwarding to your internal server?

0 Helpful

bhavsha2
Cisco Employee
Cisco Employee

‎11-27-2015 05:34 AM

Hello, I am not asking to disable the NAT because if that is done then the identities has to be changed which may not be feasible If the ip address which is getting natted for the Wireless controller is the same to which the ip address is Natted for the vpn traffic, then the only feasible thing would be to initiate the traffic on port say 4510/UDP for the Wireless Controller and then map it to 4500 .

This could have also been possible if ASA supported vrf where we could keep the vpn or the Internet traffic interface in a specific vrf

Regards,

Bhavik Shah

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card