Solved: Site to site VPN port 4500

vpersaud001 · ‎01-05-2009

Hello,

I have a site to site vpn between two Cisco 2811 routers passing through a PIX 515 on the core side and an ASA5510 on the remote side.

Although I have ports ESP and ISAKMP open the tunnel also requires udp port 4500.

Is that normal? If not any ideas how it can be fixed? Thanks.

cisco24x7 · ‎01-05-2009

On the Cisco 2811, do this:

no crypto ipsec nat udp

That will force the VPN tunnel to use ESP

instead of udp/4500

Easy right?

View solution in original post

cisco24x7 · ‎01-05-2009

On the Cisco 2811, do this:

no crypto ipsec nat udp

That will force the VPN tunnel to use ESP

instead of udp/4500

Easy right?

vpersaud001 · ‎01-06-2009

Painfully easy. :) I'll use it after hours and post an update.

I guess the full syntax is "no crypto ipsec nat-transparency udp-encapsulation."

Thanks very much.

vpersaud001 · ‎01-13-2009

Issue resolved. Thanks again.

tommar · ‎06-08-2022

what if i need the opposite. i have some tunnels up on 4500 but one on port 500 down unidirectional. i know it would work on port 4500 but dont know how to push it to use it. any ideas?

Rob Ingram · ‎06-08-2022

@tommar if a VPN is established on udp/4500 then a VPN peer is behind NAT. If you have a tunnel established using udp/500, then neither peer is behind NAT.

If you've a problem with one tunnel, then ESP could be blocked - or you've got mismatched phase 1/2 settings.