Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
1
Replies

Initiate a VPN from a cisco router on the local LAN behind ASA?

Go to solution
Mike Thomas
Level 1
Level 1

‎09-17-2012 01:29 PM

We currently have an ASA with site to site VPN and anyconnect VPN being utilized. We received a third party  cisco router which will  be used to initiate their own site to site VPN from inside our local LAN to their LAN through our ASA.


1. Would NAT Traversal be required on our ASA? 5540(config)#crypto isakmp nat-traversal


2. Would the ports listed below interfere with ports for site to site VPN and anyconnect VPN?


SSH

- allow access from xxxxx on TCP Port 22


ICMP

               - allow access from xxxxx - protocol 1


ISAKMP

              - allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T


ESP

               - allow access to/from xxxxx - protocol 50


Certificate port:

               - allow access to/from xxxxx  on TCP port 8080


NTP port:

               - allow access to/from xxxxx on UDP port 123

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-17-2012 01:46 PM

Hi Michael,

1-

NAT-T is only required if one of the sites is behind NAT.

NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, which provides NAT devices with port information. NAT-T auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is disabled by default.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html#wp1120836

2-

ISAKMP

              - allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T


ESP

               - allow access to/from xxxxx - protocol 50

The ports above are the ones used for IPsec VPN, AnyConnect SSL does not use them.

Let me know.

Thanks.

Portu.

Please rate any posts you find helpful.

Message was edited by: Javier Portuguez

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-17-2012 01:46 PM

Hi Michael,

1-

NAT-T is only required if one of the sites is behind NAT.

NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, which provides NAT devices with port information. NAT-T auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is disabled by default.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html#wp1120836

2-

ISAKMP

              - allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T


ESP

               - allow access to/from xxxxx - protocol 50

The ports above are the ones used for IPsec VPN, AnyConnect SSL does not use them.

Let me know.

Thanks.

Portu.

Please rate any posts you find helpful.

Message was edited by: Javier Portuguez

0 Helpful
Customers Also Viewed These Support Documents