The general idea is to provision your interface ACLs to accommodate the VPN Client-to-VPN Server tunnel negotiation, and the resulting tunnel traffic.
If your VPN Client resides behind a NAT firewall, you will configure your VPN Client software to do NAT discovery, and ultimately encapsulate the IPSec tunnel within UDP or TCP (depending on server capabilities, and your personal preferences) to overcome the presence of NAT.
Your client-side router interface will need to accommodate outbound ISAKMP (UDP port 500) to do the discovery, and UDP port 4500 (keyword: non500-isakmp) if you elect to go with UDP encapsulation of IPSec. Likewise, the appropriate TCP port if you go with a TCP encapsulation of IPSec.
Your external router interface should accommodate these same protocols inbound (return traffic).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...