topic Hi, in Network Security

IPSEC Tunnel Passthrough with ASA 5540

lacasamiller — Tue, 12 Mar 2019 07:01:28 GMT

I'm looking for a configuration option on my ASA 5540 that will allow an IPSEC tunnel to pass thru the ASA from an external IP address to an internal router. The ASA also provides AnyConnect VPN access for mobile and external hosts.

I'm trying to bring in Verizon Private Network IPSEC tunnel to an internal router, but I believe the ASA is trying to terminate that session rather than allow it through to the internal router.

Is there a config command I can reference for enabling this?

External IP address -----> ASA --------> internal router

<---IPSEC Tunnel---->

Thanks in advance for any help with this!

Hi,

rvarelac — Thu, 10 Dec 2015 16:42:44 GMT

Hi,

The ports you need to allow the VPN accross the ASA are:

UDP 500

UDP 4500

protocol 50 ESP

Example:

access-list inside udp permit host 192.168.0.1 any eq 500

access-list inside udp permit host 192.168.0.1 any eq 4500

access-group inside interface inside in interface inside

And is recommended to enable the inspection for this traffic as well.

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

Hope it helps,

-Randy-

Randy, thanks for this!

lacasamiller — Thu, 10 Dec 2015 19:43:28 GMT

Randy, thanks for this!

I have added this config but it seems the ASA is still trying to process the GRE tunnel. The log shows:

SYSLOG ID 713903: Group = 66.174.x.x, IP= 66.174.x.x, Can't find a valid tunnel group, aborting...!

SYSLOG ID 713903: IP = 66.174.x.x, Header invalid, missing SA payload! (next payload = 4)

If I can get some way to force IP traffic from 66.174.x.x to bypass the ASA...

Hi,

rvarelac — Fri, 11 Dec 2015 00:43:34 GMT

Hi,

Is this ASA serving as VPN endpoint as well? If not I think you can disable the isakmp process on the interface.

no crypto isakmp enable outside or no crypto ikev1 enable outside

-Randy-