05-09-2010 11:25 PM - edited 02-21-2020 04:38 PM
Hi,
I will make a site to site vpn betweeen two asa firewalls. But I have a adsl modem in front of the firewall so I need to make nat for these ports which are used by vpn. so what are these ports ? which ports should I make nat for vpn ?
thanks
05-09-2010 11:30 PM
For IPSec VPN, the following ports are to be used:
Phase 1: UDP/500
Phase 2: UDP/4500
You would also need to enable NAT-T on your ASA (command: crypto isakmp nat-traversal 20):
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067
That would encapsulate ESP (phase 2) to UDP/4500 so it can be NATed.
05-10-2010 02:27 AM
It also advisable to open protocol 50 - ESP aswell.
HTH>
05-10-2010 03:58 AM
Most likely not possible on an ASDL modem and since he is doing NAT the solution would be as stated above to use NAT-T. Therefore pushing phase 2 up to udp/4500.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide