Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
1
Replies

NAT-T for IPsec tunnels between an ASA and clients.

albert_coll
Level 1
Level 1

‎02-09-2009 03:39 AM - edited ‎02-21-2020 04:09 PM

Hello,

I have to replace a VPN3000 platform, which is using a global ip address to terminate multiple IPsec tunnels to remote Internet stations using Cisco VPN clients, with a new ASA5500 IPsec VPN.

The problem is that as part of this upgrade, the new ASA5500 must be assigned with private ip addresses (RFC1918), which means that there will be a device doing NAT somewhere in between.

According with the documentation, to establish IPSec peers through the NAT device is possible by enabling NAT-T in the ASA. Am I right ? Should I observe any additional precaution ?

Kind regards.

Albert.

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎02-09-2009 09:54 AM

That would be the only thing you need on your ASA, however make sure that you have the needed ports opened on the NATing device udp 500, 4500 and ESP protocol

0 Helpful
Customers Also Viewed These Support Documents