01-05-2009 01:05 PM - edited 02-21-2020 03:11 AM
Hello,
I have a site to site vpn between two Cisco 2811 routers passing through a PIX 515 on the core side and an ASA5510 on the remote side.
Although I have ports ESP and ISAKMP open the tunnel also requires udp port 4500.
Is that normal? If not any ideas how it can be fixed? Thanks.
Solved! Go to Solution.
01-05-2009 02:16 PM
On the Cisco 2811, do this:
no crypto ipsec nat udp
That will force the VPN tunnel to use ESP
instead of udp/4500
Easy right?
01-05-2009 02:16 PM
On the Cisco 2811, do this:
no crypto ipsec nat udp
That will force the VPN tunnel to use ESP
instead of udp/4500
Easy right?
01-06-2009 06:36 AM
Painfully easy. :) I'll use it after hours and post an update.
I guess the full syntax is "no crypto ipsec nat-transparency udp-encapsulation."
Thanks very much.
01-13-2009 12:08 PM
Issue resolved. Thanks again.
06-08-2022 01:03 AM
what if i need the opposite. i have some tunnels up on 4500 but one on port 500 down unidirectional. i know it would work on port 4500 but dont know how to push it to use it. any ideas?
06-08-2022 01:18 AM
@tommar if a VPN is established on udp/4500 then a VPN peer is behind NAT. If you have a tunnel established using udp/500, then neither peer is behind NAT.
If you've a problem with one tunnel, then ESP could be blocked - or you've got mismatched phase 1/2 settings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide