Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
0
Helpful
5
Replies

IPSec Pass Through on ASA

Vigil_N_E
Level 1
Level 1

‎05-22-2012 07:19 AM - edited ‎03-11-2019 04:09 PM

I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.

Any thoughts?

Labels:
0 Helpful
5 Replies 5

Kevin P Sheahan
Level 5
Level 5

‎05-22-2012 07:39 AM

On your outside access-list (inbound) make sure you're allowing the following ports to your third party firewall.

IP 50

UDP 500

UDP 4500

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful

Vigil_N_E
Level 1
Level 1
In response to Kevin P Sheahan

‎05-22-2012 07:43 AM

Already allowing each of those in the outside access-list (inbound).

0 Helpful

Kevin P Sheahan
Level 5
Level 5
In response to Vigil_N_E

‎05-22-2012 07:46 AM

Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?

Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..

packet-tracer input outside udp 500 500 detail

If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?

Please reply with packet-tracer results.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful

Vigil_N_E
Level 1
Level 1
In response to Kevin P Sheahan

‎05-22-2012 07:56 AM

For would I put the internal address or the puiblic NAT address?

0 Helpful

Kevin P Sheahan
Level 5
Level 5
In response to Vigil_N_E

‎05-22-2012 08:09 AM

You would put the NAT address, which brings up another point.. this needs to be NATed to a dedicated global address (via static nat).

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card