• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 629
  • Last Modified:

Cisco ASA - Initiate a VPN from a cisco router on the local LAN behind ASA?

We currently have an ASA with site to site VPN and anyconnect VPN being utilized. We received a third party  cisco router which will  be used to initiate their own site to site VPN from inside our local LAN to their LAN through our ASA.

1. What we would like to know is if the following ports listed below would interfere with ports for site to site VPN and anyconnect VPN?

2. Would NAT Traversal be required on our ASA? 5540(config)#crypto isakmp nat-traversal


SSH
- allow access from xxxxx on TCP Port 22

ICMP
               - allow access from xxxxx - protocol 1

ISAKMP
              - allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT-T

ESP
               - allow access to/from xxxxx - protocol 50

Certificate port:
               - allow access to/from xxxxx  on TCP port 8080

NTP port:
               - allow access to/from xxxxx on UDP port 123
0
First Last
Asked:
First Last
1 Solution
 
Ernie BeekCommented:
1. You would need a dedicated public ip (1:1 static NAT) for the router to let ESP through (and ISAKMP) to that router.
2. From the top of my head: NAT-T would be required if the ASA itself was setting a VPN up through a NAT device. So it shouldn't be necessary in this case.
0
 
First LastAuthor Commented:
Thanks - That is what i've been reading too. I had the 3rd party company take their router back. Instead they are going to do a site to site vpn with us! Thankfully this is VERY simple because they are using Cisco ASA's too!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now