Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2L with ASA behind router

Can an ASA initiate a L2L VPN over NAT-T behind a router?

The VPN can be successfully established when our third party start the connection but not when we start it from our end.

Many vendors don't support this scenario, I would like to know if Cisco do.

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

L2L with ASA behind router

Yes that will work. The ASA can be behind a NAT as an IPSec-originater as well as an IPSec-responder. Of course the NAT hast to be configured properly if the ASA is the responder.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

L2L with ASA behind router

Yes, that will work. If both ASAs have NAT-T enabled (which is the default) then there is no reason that it shouldn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
3 REPLIES
VIP Purple

L2L with ASA behind router

Yes that will work. The ASA can be behind a NAT as an IPSec-originater as well as an IPSec-responder. Of course the NAT hast to be configured properly if the ASA is the responder.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

L2L with ASA behind router

Thanks Karsten for your quick reply.

If the othe peer was another ASA with no NAT in front of it, would it be able to initiate the proposal?

VIP Purple

L2L with ASA behind router

Yes, that will work. If both ASAs have NAT-T enabled (which is the default) then there is no reason that it shouldn't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
328
Views
0
Helpful
3
Replies