[163081] in North American Network Operators' Group
Re: Vpn tunnel Asa 5505 to fortigate 60c
daemon@ATHENA.MIT.EDU (Fred Reimer)
Sat May 18 23:19:53 2013
From: Fred Reimer <freimer@freimer.org>
To: akurenath <akurenath@hotmail.com>, "nanog@nanog.org" <nanog@nanog.org>
Date: Sat, 18 May 2013 17:05:22 +0000
In-Reply-To: <BAY404-EAS148085DA2FA4803CBB027AFB4AD0@phx.gbl>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Almost all firewalls support NAT-T, which allows for using a private IP
address on the "outside" of the firewall (which is translated to a
routable public IP address before it gets on the Internet). You will need
UDP 500 (for IKE) and UDP 4500 (for IPsec NAT-T) open, so no devices
between the firewalls can block those ports. I know the ASA supports
this, because I have setup customers with "private" IP addresses on their
ASAs in certain circumstances. I'm not familiar enough with the Fortinet
equipment, but you may need to turn on a NAT-T feature.
HTH,
Fred Reimer
On 5/18/13 11:13 AM, "akurenath" <akurenath@hotmail.com> wrote:
>Hi nanog,
>
>I have a fortigate 60c connecting a vpn tunnel to an asa 5505. I have the
>connection setup, but it will not connect because unfortunately the isp
>at the fortigate end decided to give us a 192.168.13/24 address. Now what
>I'd like to know is if there is any way to get this vpn connection to
>work through a pat connection until the isp resolves this issue?
>
>Thank you for any help.
>
>Zane
>
>
>Sent from Samsung mobile
