Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 VPN server behind another firewall

I was using an ASA5505 as my firewall/router and VPN server without any issues.  I've had to change to using a different manufacturer's devices as my firewall/router so I changed the external IP address of the ASA5505 to an extra one.

This works when I connect to the VPN and try to access any other external systems.  I can't access any of the internal systems as their default route points to the other firewall/router.  If I change the default route on any of those systems to the ASA5505 then everything works but that's not a workable solution.

Any suggestions on how to work around this issue?

Here's the way my network is currently configured:

External network:

Internal network:

Firewall/router internal IP:

Firewall/router external IP:

ASA5505 internal IP:

ASA5505 external IP:

The ASA5505 is running 8.2.(5) and has a Security Plus license.

If necessary I could make the ASA5505 internal-only if that makes things easier.

New Member

I forgot to mention I'm using

I forgot to mention I'm using IPSEC and AnyConnect.


I've had no issues connecting

I've had no issues connecting to the ASA's VPN behind several different routers.  Just open and forward ports tcp/443 and udp/443 for AnyConnect and udp/500 and udp/4500 for IPSec client. 

New Member

yeah this is nice topic. I

yeah this is nice topic. I will configure vpn remote access for my asa 5510, but my asa is behind

my router 2921. so in this case, i just forward port udp 500 and udp 4500 only rite ??
but one more question, is i already configure VPN site to site, so if later i configure remote vpn,

i have no need to create "iskam policy" again rite ?

Cisco Employee

Hi ,You will have to forward

Hi ,

You will have to forward UDP 500 , UDP 4500 and protocol ESP as well in order to successfully negotiate and pass the VPN traffic across intermediate device.
Moreover, you dont have to create new isakmp profiles unless the ones present are not negotiating with the client.
Hope that helps.

Dinesh Moudgil

P.S. Please rate helpful posts.


I have two site to site VPN

I have two site to site VPN tunnels passing through a 3825 router and they NAT fine without explicitly having a rule for ESP.  If I recall, auto-NAT'ing ESP is what the "NAT-T" option does, which is usually enabled by default. 

Of course, having a rule for ESP doesn't really hurt anything.

Cisco Employee

Most definitely,JohnIts just

Most definitely,John

Its just to make sure in case you are not using NAT-T and one is  aware of his setup that we tend to open this protocol. But , if NAT-T is used , then there is no need for this.

Dinesh Moudgil

Hi, If you have your other



If you have your other vendor router/fw on top of your asa vpn fw then you can have that other vendor device as pass through device and NAT and you can have your ASA for only VPN. Also you need to make sure that you have the proper routing place to reach all the internal systems. If you describe more in detail about your problem then we will be able to solve your issue.


By looking at the information provided by you you have your ASA outside on the external network range and internal is connected to LAN. by this way if you have the proper routing in place for both internal and external then you shouldn't have any problem.




CreatePlease login to create content