Showing results for 
Search instead for 
Did you mean: 

Setup of IPSec Passthrough

Level 1
Level 1

Hi All,

I would like to get some help on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network ( / 25) to be able to connect to external IPSec VPN servers.

So I created a network object with / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:

29-Mar-12 4-09-43 PM.png

I then added the following rules on the inside-in ACL:

However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.

For isakmp:

29-Mar-12 4-15-05 PM.png

For ESP:

29-Mar-12 4-17-21 PM.png

Seems like the nat rule is drawing my ESP traffic, can any one point me in the correct direction?

Kind Regards,

Jia Wei

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni


Have you tried an actual VPN Client connection through the ASA from the guest network? Or is the problem only based on testing this thing with packet-tracer on ASDM side?

I dont remember ever opening ESP/HA for Cisco VPN Client traffic

Review Cisco Networking for a $25 gift card