Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
1
Replies

Site-Site IOS behind NAT through ASA

Arthur Kant
Level 1
Level 1

‎06-11-2008 04:26 PM - edited ‎02-21-2020 02:03 AM

I am trying to get isakmp/ipsec to work between two Cisco routers. One router has a static public IP, the other router is on a 1-1 NAT behind an ASA5510. The 5510 is using standard Fe0/0 for outside and Fe1/0 inside.

I have allowed all of the needed ports through the ASA5510 to the router but I still not get phase 1 to complete.

We are still using ISAKMP ON THE 5510 also for some VPN's that are being phased out and when I debug the 5510 I see it sending data to my remote site.

How can I make it so my port forwarded traffic is not "picked up" by ISAKMP on the ASA ? Is my only option to use another interface that does NOT run isakmp on it?

I think the problem is that I have sysopt permit-ipsec enabled on the device which kills the port forwarded acl's, can I enable sysopt selectively? Perhaps on an interface basis?

+RemoteRouter+ -------ASA5510----+NATD Router+

0 Helpful
1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-12-2008 05:22 AM

Your problem has nothing to do with sysopt, sysopt is for VPN tunnels terminated on the firewall itself, it has has no role in transit traffic. Make sure you are allowing both UDP 500 and 4500 in your ASA outside ACL. If possible post your ACLs and NAT configs (on the ASA) over here.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card