Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA VPN behind firewall

Hi

Anybody knows if a remote access VPN (ASA) behind another firewall with NAT (Checkpoint), works fine?

I need configure a SSL remote access vpn in a ASA 5512-X but the ASA is in a DMZ of a checkpoint firewall that have the public IP and the internet connection.

 

Thanks.

Andres

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Yes. I've used ASA remote

Yes. I've used ASA remote access SSL VPN when the ASA outside interface is behind another firewall that is NATting the address. As long as the second firewall is allowing tcp/443 (SSL, assuming a default setup) it works fine.

For an IPsec VPN a few more ports are required (udp/500 and 4500 typically).

Hi Andres, There shouldn't be

Hi Andres,

 

There shouldn't be any issue with your scenario.... If you have the proper routing, flows and NAT in place to allow the VPN traversal..... it will work..... We have deployed many setup's like this... but i have not yet tried with check point fw....

NAT on Check point FW --- say 1.1.1.1 NATed to Outside Interface of ASA 172.16.0.1

Flow : 443 to 1.1.1.1/172.16.0.1 from any or specific range of public stack.

Routing needs to be there.....

 

Regards

Karthik

3 REPLIES
Hall of Fame Super Silver

Yes. I've used ASA remote

Yes. I've used ASA remote access SSL VPN when the ASA outside interface is behind another firewall that is NATting the address. As long as the second firewall is allowing tcp/443 (SSL, assuming a default setup) it works fine.

For an IPsec VPN a few more ports are required (udp/500 and 4500 typically).

Community Member

Thanks Marvin, i will test in

Thanks Marvin, i will test in my environment

Hi Andres, There shouldn't be

Hi Andres,

 

There shouldn't be any issue with your scenario.... If you have the proper routing, flows and NAT in place to allow the VPN traversal..... it will work..... We have deployed many setup's like this... but i have not yet tried with check point fw....

NAT on Check point FW --- say 1.1.1.1 NATed to Outside Interface of ASA 172.16.0.1

Flow : 443 to 1.1.1.1/172.16.0.1 from any or specific range of public stack.

Routing needs to be there.....

 

Regards

Karthik

772
Views
0
Helpful
3
Replies
CreatePlease to create content