cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1004
Views
0
Helpful
3
Replies

L2L with ASA behind router

luchthrash
Level 1
Level 1

Can an ASA initiate a L2L VPN over NAT-T behind a router?

The VPN can be successfully established when our third party start the connection but not when we start it from our end.

Many vendors don't support this scenario, I would like to know if Cisco do.

2 Accepted Solutions

Accepted Solutions

Yes that will work. The ASA can be behind a NAT as an IPSec-originater as well as an IPSec-responder. Of course the NAT hast to be configured properly if the ASA is the responder.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Yes, that will work. If both ASAs have NAT-T enabled (which is the default) then there is no reason that it shouldn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

3 Replies 3

Yes that will work. The ASA can be behind a NAT as an IPSec-originater as well as an IPSec-responder. Of course the NAT hast to be configured properly if the ASA is the responder.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks Karsten for your quick reply.

If the othe peer was another ASA with no NAT in front of it, would it be able to initiate the proposal?

Yes, that will work. If both ASAs have NAT-T enabled (which is the default) then there is no reason that it shouldn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni