You need to allow UDP port 500 for ISAKMP traffic and IP ports 50 and 51 for ESP/AH traffic.
I know that this is an ongoing discussion point between the parallel and serial supporters, but in my opinion, I would place the VPN concentrator in parallel with the firewall. The only traffic you allow on the concentrator is IPSec and ISAKMP, which will be allowed by the firewall anyway.
I can see why having the parallel model makes sense - how about placing the pix on the private interface as an extra layer of security once the VPN tunnel is established - would this be overkill or a more secure solution?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...