cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
0
Helpful
3
Replies
Beginner

L2L with ASA behind router

Can an ASA initiate a L2L VPN over NAT-T behind a router?

The VPN can be successfully established when our third party start the connection but not when we start it from our end.

Many vendors don't support this scenario, I would like to know if Cisco do.

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Mentor

L2L with ASA behind router

Yes that will work. The ASA can be behind a NAT as an IPSec-originater as well as an IPSec-responder. Of course the NAT hast to be configured properly if the ASA is the responder.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

VIP Mentor

L2L with ASA behind router

Yes, that will work. If both ASAs have NAT-T enabled (which is the default) then there is no reason that it shouldn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

3 REPLIES 3
VIP Mentor

L2L with ASA behind router

Yes that will work. The ASA can be behind a NAT as an IPSec-originater as well as an IPSec-responder. Of course the NAT hast to be configured properly if the ASA is the responder.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Highlighted
Beginner

L2L with ASA behind router

Thanks Karsten for your quick reply.

If the othe peer was another ASA with no NAT in front of it, would it be able to initiate the proposal?

VIP Mentor

L2L with ASA behind router

Yes, that will work. If both ASAs have NAT-T enabled (which is the default) then there is no reason that it shouldn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post