Site-Site IOS behind NAT through ASA

Unanswered Question
Jun 11th, 2008

I am trying to get isakmp/ipsec to work between two Cisco routers. One router has a static public IP, the other router is on a 1-1 NAT behind an ASA5510. The 5510 is using standard Fe0/0 for outside and Fe1/0 inside.

I have allowed all of the needed ports through the ASA5510 to the router but I still not get phase 1 to complete.

We are still using ISAKMP ON THE 5510 also for some VPN's that are being phased out and when I debug the 5510 I see it sending data to my remote site.

How can I make it so my port forwarded traffic is not "picked up" by ISAKMP on the ASA ? Is my only option to use another interface that does NOT run isakmp on it?

I think the problem is that I have sysopt permit-ipsec enabled on the device which kills the port forwarded acl's, can I enable sysopt selectively? Perhaps on an interface basis?

+RemoteRouter+ -------ASA5510----+NATD Router+

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 06/12/2008 - 05:22

Your problem has nothing to do with sysopt, sysopt is for VPN tunnels terminated on the firewall itself, it has has no role in transit traffic. Make sure you are allowing both UDP 500 and 4500 in your ASA outside ACL. If possible post your ACLs and NAT configs (on the ASA) over here.




This Discussion