cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
404
Views
0
Helpful
2
Replies

Sample Configuration for 5505 ASA Behind Cisco Router

anking2222
Level 1
Level 1

Hello community. I have an issue that I have been reading several blogs and posts about, but have not been able to solve. It involves trying to find a solution for using an ASA behind a firewall on the spare Gigabit interface. Currently, we have PF Sense as the firewall on Gi 0/0/2 (Gi 0/0/1 is free). My desire is to use the ASA on this spare interface as a VPN Server. I have an R&S background, but not heavy on security. I have not configured the ASA interface, but the current set-up is as follows (pertinent sections):

interface GigabitEthernet0/0/0
description WAN side
ip address x.x.x.170 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast reverse-path
ip access-group 110 in
load-interval 30
negotiation auto
ip virtual-reassembly

!

interface GigabitEthernet0/0/2
description LAN Side
ip address 10.20.0.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
ip virtual-reassembly

!

!----The below NAT statements were to try to enable PF Sense to act as a server, but no success------!

!

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source static udp 10.20.0.2 51 interface GigabitEthernet0/0/0 51
ip nat inside source static udp 10.20.0.2 500 interface GigabitEthernet0/0/0 500
ip nat inside source static esp 10.20.0.2 interface GigabitEthernet0/0/0
ip nat inside source static tcp 10.20.0.2 22 103.46.208.170 1194 extendable
!

!

I am really wondering what static NAT settings are required along with other router configurations if  I enabled EasyVPN on the other end of Gi0/0/1. Any assistance would be greatly appreciated and I'm open to any suggestions / required changes. If you need any more information, please just let me know.

1 Accepted Solution

Accepted Solutions

For EasyVPN to work you only have to forward (and allow) UDP/500 (ISAKMP/IKE) and UDP/4500 (NAT-T; encapsulation when NAT is detected). That is all the traffic that your router will "see". If you have a spare public IP you can also map that to the ASA, but the two above ports are the bare minimum.

View solution in original post

2 Replies 2

For EasyVPN to work you only have to forward (and allow) UDP/500 (ISAKMP/IKE) and UDP/4500 (NAT-T; encapsulation when NAT is detected). That is all the traffic that your router will "see". If you have a spare public IP you can also map that to the ASA, but the two above ports are the bare minimum.

Thanks so much Karsten, I'll give it a shot and let you know how it goes.