topic Re: ASA ESP issue in Network Security

ASA ESP issue

boshardy1 — Mon, 11 Mar 2019 12:20:45 GMT

We have a new ASA, there are no firewall rules associated to the inside interface. Our finance department has to run the AT&T net client to connect with Medicare, this now fails. On the ASA I get an error that says 3|Mar 20 2008|10:41:39|305006|12.64.175.2||regular translation creation failed for protocol 50 src inside:10.0.50.30 dst outside:12.64.175.2

NAT-T is on the firewall and I also tried the inspect ipsec pass through to no avail. Any other suggestions?

Re: ASA ESP issue

abinjola — Fri, 21 Mar 2008 15:02:17 GMT

on the remote VPN server either enable NAT-T or on create a 1-1 static on the firewall opening ESP and UDP-500 on the firewall

Re: ASA ESP issue

boshardy1 — Fri, 21 Mar 2008 15:53:12 GMT

I don't have control of the remote end, it's medicare. Is there anything else I can do on my end to make this work short of doing static NAT's? It used to work on my netscreen firewall somehow only since switching to the ASA has it broke.

Re: ASA ESP issue

JORGE RODRIGUEZ — Fri, 21 Mar 2008 16:47:55 GMT

In your VPN client,ATT connection properties, transport tab, where you have checked off if you do Enable Transparent Tunneling choose Ipsec over UDP (NAT/PAT).

Re: ASA ESP issue

abinjola — Fri, 21 Mar 2008 17:06:58 GMT

Jorge..this would still not work..by default enable transparent tunneling is enabled..here the problem is since the remote server doesn't want to enable NAT-TRansparency therefore the ESP packet would never be encapsulated over udp 4500 and there ESP would not be able to PAT...

only way to get this working is 1-1 static or NAT traversal

Re: ASA ESP issue

JORGE RODRIGUEZ — Fri, 21 Mar 2008 17:33:13 GMT

completely agree, you are right.. wander what happened to my cup of coffey..

Re: ASA ESP issue

cisco24x7 — Fri, 21 Mar 2008 19:50:59 GMT

One of the things to keep in mind when switching from one firewall vendor, Juniper,

to another firewall vendor, Cisco, is that

different device can handle things

differently. Devices such as juniper or

netscreen has the ability to do "IPSec

pass-through" that devices such as Pix or

ASA can NOT.

That being said, if you replace the ASA

with a Cisco IOS router with the ability

to do this:

ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0

where 192.168.1.1 is the host beind the router.

That will enable the client to connect via

ESP.

It is very unfortunate that ASA can not do

this.

CCIE Security

Re: ASA ESP issue

abinjola — Fri, 21 Mar 2008 20:14:29 GMT

"IPSec pass-through" that devices such as Pix or

ASA can NOT.

ASA can do IPSEC pass through but you cannot port address translate an ESP packet, thats the reason NAT-Transparency came in picture which means if VPN server has it enabled it detects the client to be behind PAT device and the clients starts encapsulating ESP over UDP which can PATTED now...

hope it answers !

Re: ASA ESP issue

cisco24x7 — Fri, 21 Mar 2008 20:17:23 GMT

what I meant to say is:

ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0

Can ASA do this?

Re: ASA ESP issue

jan.nielsen — Sun, 23 Mar 2008 01:31:51 GMT

ASA does support IPSec pass-through.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169

Re: ASA ESP issue

jan.nielsen — Sun, 23 Mar 2008 01:34:46 GMT

Oh, and also, run 7.2 software, i think i remember something about some bugs with the ipsec inspect before this release.