Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA VPN behind 2911 Router

So far my network is setup as follows:

ISP -> Router 2911 (four VLANs) -> Switch 2960, there has been an ASA 5510 sitting around for sometime now the end goal for the ASA setup is to have it setup as a site-to-site VPN as well as a remote access VPN. What I am trying to determine is how I would I place the ASA behind the router. Right now I have it setup and plugged into the Swith, so would I NAT the private IP of the ASA to one of my public IPs?

Also, does anyone know where I can find a good guide on configuring VPN to authenicate against AD without using ADSM?

  • VPN
Cisco Employee

ASA VPN behind 2911 Router

Hi Brandon ,

you have to statically NAT the ASA translating the private ip address to a public one as it should be accessable from outside , on the router you should have the following port opened for the inbound access-list :


UDP 4500 NAT Traversal

ESP 50

now regarding the LDAP example , please see the following :

part of the above example are to configure it via CLI,


New Member

ASA VPN behind 2911 Router

Hi Mohammad,

Thanks for the LDAP work perfectly my firewall now does LDAP authenication! But maybe I'm missing something, on the side of the VPN setup on the firewall and I've got it statically map via the router. But when I open up my VPN client its still not connecting to the gateway I get the peer not responding. Any ideas?

Router Access List/Static Map/Interface:

interface GigabitEthernet0/0

ip address

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip inspect TRAFFIC_ALLOWED out

ip virtual-reassembly

duplex full

speed 100

no cdp enable

ip nat inside source static 38.x.x.x

access-list 110 permit udp host host eq isakmp

access-list 110 permit udp host host eq non500-isakmp

ASA 5510

access-list NONAT extended permit ip

access-list TFX100 remark ACL for TFX Remote

access-list TFX100 extended permit ip

pager lines 24

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (outside) 0 access-list NONAT

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYNAMIC-MAP 5 set transform-set ESP-AES-128-SHA

crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh outside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy TFXVPN internal

group-policy TFXVPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TFX100

nem enable

username browe password jyPLVN4lhyIZeTsi encrypted privilege 15

tunnel-group TFX_TG type remote-access

tunnel-group TFX_TG general-attributes

default-group-policy TFXVPN

tunnel-group TFX_TG ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


New Member

ASA VPN behind 2911 Router

I've actually figured out whats wrong, but now I'm getting an error when a remote host tries to connect...

Removing peer from peer table failed, no match!

Unable to remove PeerTblEntry

It makes it through phase 1, but fails at phase 2