Cisco ASA - Initiate a VPN from a cisco router on the local LAN behind ASA?

Posted on 2012-09-17
Last Modified: 2012-09-18
We currently have an ASA with site to site VPN and anyconnect VPN being utilized. We received a third party  cisco router which will  be used to initiate their own site to site VPN from inside our local LAN to their LAN through our ASA.

1. What we would like to know is if the following ports listed below would interfere with ports for site to site VPN and anyconnect VPN?

2. Would NAT Traversal be required on our ASA? 5540(config)#crypto isakmp nat-traversal

- allow access from xxxxx on TCP Port 22

               - allow access from xxxxx - protocol 1

              - allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T

               - allow access to/from xxxxx - protocol 50

Certificate port:
               - allow access to/from xxxxx  on TCP port 8080

NTP port:
               - allow access to/from xxxxx on UDP port 123
Question by:First Last
    LVL 35

    Accepted Solution

    1. You would need a dedicated public ip (1:1 static NAT) for the router to let ESP through (and ISAKMP) to that router.
    2. From the top of my head: NAT-T would be required if the ASA itself was setting a VPN up through a NAT device. So it shouldn't be necessary in this case.
    LVL 1

    Author Closing Comment

    by:First Last
    Thanks - That is what i've been reading too. I had the 3rd party company take their router back. Instead they are going to do a site to site vpn with us! Thankfully this is VERY simple because they are using Cisco ASA's too!

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    This video discusses moving either the default database or any database to a new volume.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now