×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

can you create a site to site tunnel behind a nat router using ASA

Unanswered Question
Sep 27th, 2013
User Badges:

Hi all


We have an ADSL router with the public IP on that, behind this we have an ASA firewall


Is it possible to create a site to site tunnel if I NAT the correct ports to the ASA ? if so what ports would I need to NAT, GRE / ISAKMP, UDP500 etc ?


cheers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Fri, 09/27/2013 - 01:59
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

yes, that can be done. But first you should check if you can change the dsl-router to modem-mode where you have the public IP directly on the ASA. That would make things more easy.

If it is not possible, then you have to forward UDP/500 and UDP/4500 to the ASA to make IPSec work. Or for more flexibility in later changes configure the ASA as an "exposed host" on the DSL-router to which all traffic is forwarded that enters your network.


Sent from Cisco Technical Support iPad App

carl_townshend Fri, 09/27/2013 - 03:36
User Badges:

by exposed host do you mean to do a direct nat for everything to the ASA ?

Karsten Iwen Fri, 09/27/2013 - 03:41
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

yes, thats the term that is often used in smaller dsl-routers.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Actions

This Discussion