IPSEC VPN Client with NATed Router

Unanswered Question
Feb 25th, 2009
User Badges:


I have cisco ASA firewall that has the private IP address on the internet interface that is connected to the router. That router has the SDSL connection and has the wan IP address with subnet /29.

I have added the static nat with one of the public ip address available.

For constructing the Site to Site VPN's or Remote access VPN's is i need some more natted commands, like nat traversal, IPSEC over tcp, UDP encapsulation etc on router / firewall. if yes then what commands are needed and where to implement.

your help will be higly appriciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

You only need those commands when a device does not understand or support VPN pass-thru - typically remote users home ADSL modems.

If you have an ACL on the router, you just need to allow thru:-

IKE - UDP 500

IPSEC - Protocol 50

The rest will take care of itself.

if you enable NAT-T this will use UDP 4500 for the IPSEC UDP ecapsulation.


bmcginn Wed, 02/25/2009 - 16:42
User Badges:
  • Bronze, 100 points or more

In addition to Andrew's comments, you may need a static NAT on the router to NAT a public IP to the external IP address of the ASA. It sounds like it's already in place though..


This Discussion