01-30-2017 10:37 PM
Hello community. I have an issue that I have been reading several blogs and posts about, but have not been able to solve. It involves trying to find a solution for using an ASA behind a firewall on the spare Gigabit interface. Currently, we have PF Sense as the firewall on Gi 0/0/2 (Gi 0/0/1 is free). My desire is to use the ASA on this spare interface as a VPN Server. I have an R&S background, but not heavy on security. I have not configured the ASA interface, but the current set-up is as follows (pertinent sections):
interface GigabitEthernet0/0/0
description WAN side
ip address x.x.x.170 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast reverse-path
ip access-group 110 in
load-interval 30
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description LAN Side
ip address 10.20.0.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
ip virtual-reassembly
!
!----The below NAT statements were to try to enable PF Sense to act as a server, but no success------!
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source static udp 10.20.0.2 51 interface GigabitEthernet0/0/0 51
ip nat inside source static udp 10.20.0.2 500 interface GigabitEthernet0/0/0 500
ip nat inside source static esp 10.20.0.2 interface GigabitEthernet0/0/0
ip nat inside source static tcp 10.20.0.2 22 103.46.208.170 1194 extendable
!
!
I am really wondering what static NAT settings are required along with other router configurations if I enabled EasyVPN on the other end of Gi0/0/1. Any assistance would be greatly appreciated and I'm open to any suggestions / required changes. If you need any more information, please just let me know.
Solved! Go to Solution.
01-30-2017 11:06 PM
For EasyVPN to work you only have to forward (and allow) UDP/500 (ISAKMP/IKE) and UDP/4500 (NAT-T; encapsulation when NAT is detected). That is all the traffic that your router will "see". If you have a spare public IP you can also map that to the ASA, but the two above
01-30-2017 11:06 PM
For EasyVPN to work you only have to forward (and allow) UDP/500 (ISAKMP/IKE) and UDP/4500 (NAT-T; encapsulation when NAT is detected). That is all the traffic that your router will "see". If you have a spare public IP you can also map that to the ASA, but the two above
01-31-2017 01:40 AM
Thanks so much Karsten, I'll give it a shot and let you know how it goes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide