Solved: Re: ASA-- Any special config needed for this (simple?) connectivity?

jmaxwellUSAF · ‎03-29-2023

Hello. Simple quick question...

Inside the LAN I'm installing a new vendor's Cisco box that has a preconfigured VPN to a server on the www. All communication will originate inside this new box that connects to a switch that connects to the inside interface of the ASA. Miscellaneous LAN-originating communication to the www via the ASA gateway is currently successful.

QUESTION: In a vanilla ASA config, Will I need to configure anything (ACL, or NAT, or other) to allow this new VPN box to communicate with the remote www server?

Thank you!

Rob Ingram · ‎03-29-2023

@jmaxwellUSAF so this vendor's Cisco box is establishing a VPN over the internet and is plugged in behind your ASA?

Configure nat to translate the traffic by. You will need to ensure UDP/500 and UDP/4500 is permitted outbound if you have an ACL inbound on the inside interface.

If you don't already have an ACL inbound on the inside interface you wouldn't need to explicitly permit the outbound traffic to the internet, it would already be permitted.

Your ASA should support nat-t by default, so no need to enable.

View solution in original post

Rob Ingram · ‎03-29-2023

@jmaxwellUSAF so this vendor's Cisco box is establishing a VPN over the internet and is plugged in behind your ASA?

Configure nat to translate the traffic by. You will need to ensure UDP/500 and UDP/4500 is permitted outbound if you have an ACL inbound on the inside interface.

If you don't already have an ACL inbound on the inside interface you wouldn't need to explicitly permit the outbound traffic to the internet, it would already be permitted.

Your ASA should support nat-t by default, so no need to enable.