Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5060
Views
0
Helpful
3
Replies

ASA VPN behind firewall

Go to solution
andres.picos
Level 1
Level 1

‎09-03-2014 07:49 AM

Hi

Anybody knows if a remote access VPN (ASA) behind another firewall with NAT (Checkpoint), works fine?

I need configure a SSL remote access vpn in a ASA 5512-X but the ASA is in a DMZ of a checkpoint firewall that have the public IP and the internet connection.

 

Thanks.

Andres

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-03-2014 09:03 AM

Yes. I've used ASA remote access SSL VPN when the ASA outside interface is behind another firewall that is NATting the address. As long as the second firewall is allowing tcp/443 (SSL, assuming a default setup) it works fine.

For an IPsec VPN a few more ports are required (udp/500 and 4500 typically).

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-04-2014 12:25 AM

Hi Andres,

 

There shouldn't be any issue with your scenario.... If you have the proper routing, flows and NAT in place to allow the VPN traversal..... it will work..... We have deployed many setup's like this... but i have not yet tried with check point fw....

NAT on Check point FW --- say 1.1.1.1 NATed to Outside Interface of ASA 172.16.0.1

Flow : 443 to 1.1.1.1/172.16.0.1 from any or specific range of public stack.

Routing needs to be there.....

 

Regards

Karthik

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-03-2014 09:03 AM

Yes. I've used ASA remote access SSL VPN when the ASA outside interface is behind another firewall that is NATting the address. As long as the second firewall is allowing tcp/443 (SSL, assuming a default setup) it works fine.

For an IPsec VPN a few more ports are required (udp/500 and 4500 typically).

0 Helpful

Go to solution
andres.picos
Level 1
Level 1
In response to Marvin Rhoads

‎09-03-2014 03:24 PM

Thanks Marvin, i will test in my environment

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-04-2014 12:25 AM

Hi Andres,

 

There shouldn't be any issue with your scenario.... If you have the proper routing, flows and NAT in place to allow the VPN traversal..... it will work..... We have deployed many setup's like this... but i have not yet tried with check point fw....

NAT on Check point FW --- say 1.1.1.1 NATed to Outside Interface of ASA 172.16.0.1

Flow : 443 to 1.1.1.1/172.16.0.1 from any or specific range of public stack.

Routing needs to be there.....

 

Regards

Karthik

0 Helpful
Customers Also Viewed These Support Documents