0

I was in the process of setting up a site-to-site ipsec vpn tunnel behind a mobile broadband router when i found out that i wasnt able to port forward on that network so i wont be able to use the ipsec site-to-site on the ASA5505 that i have behind.

I need another solution to get the clients connected and i came across Cisco Easy VPN.

Is it nesseary to port forward any ports on the remote end? Or does it just work like AnyConnect?

(i dont have the ASA at my disposal right now, so i cant test it and i need it working on monday, so i hope someone can help me now, so i know if its gonna work on monday :-) I Cant find anything about it on the internet)

Thanks guys, Rasmus.

Rasmus
  • 53
  • 1
  • 8

2 Answers2

0

Any site-to-site portforwarding techniques used with the established VPN between these sites is a sign of poor design and probably work done badly. With a proper VPN desing, any subnets inside VPN should have full connectivity and no need to forward anything to each other.

Same rule appies when a security gateway is behind a NAT - it should not be. Even when this is due to organizational problems, this means that this particular organization has no cooperation within.

drookie
  • 8,625
  • 1
  • 19
  • 29
  • Hi Drookie, The port forwarding is just for establishing the site-to-site tunnel and not for opening/accessing devices across the net - that works fine without. For anormal site-to-site tunnel i need UDP 450 and 4500 forwarded to the firewall that creates the tunnel. The remote device is behind a public network where no forwarding can be done. Am i totaly off here? – Rasmus Feb 06 '15 at 11:40
  • Still a sigh of badly designed network/VPN. Security gateway should be set in a place where it has full connectivity with both the network that it has to tunnel and the tunnel transport - WAN in general. Including the control protocol ports - such as ISAKMP or whatever you are using. And the reason of this is simple. It's not the tradition, it's simply the attempt to avoid multiple subsequent problems with encrypted traffic - MTU negotiation, various schemes of packet signing and encryption, etc. – drookie Feb 06 '15 at 11:43
  • I am aware of that (Which is the case at the other end), but it isnt possible in this scenario. I need a quick fix to get a remote mobile room up and running asap. – Rasmus Feb 06 '15 at 11:46
  • I'm aware that I did not help you in any way; I just wanted to express my point. – drookie Feb 06 '15 at 11:51
0

I found out the answer my self to day by trying it out.

It DOES work when Easy VPN is setup as Client mode. Extended-network mode didnt work as first, im not sure if this is fixable - but, Client mode works without any portforwarding.

Rasmus
  • 53
  • 1
  • 8