Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3935
Views
5
Helpful
3
Replies

Allowing IPSec traffic passthrough to Verizon Network Extenders

james.king
Level 1
Level 1

‎02-12-2013 07:06 AM - edited ‎03-07-2019 11:40 AM

Hello,

Have a Cisco ASA5505. Client has 1 public IP. ASA handling WAN connection/routing for internal network. Client has two (2) Verizon Network Extenders. These setup an IPSec site-to-site tunnel between VZ and these devices. They are using ports 500 and 4500. The IPSec NATT traffic is being picked up by the ASA and dropped. ASA is taking it as a request to initiate a site to site VPN and not passing traffic along to internal VZ network extenders to allow them to create an assured UDP connection. A Buffalo router running DD-WRT with IPSec passthrough mode is working great, allowing both VZ network extenders to work. Client does not need IPSec or site to site VPN abilities, so this can be disabled in config to make this work. We know this can be setup very easily with port forwarding to an internal static IP - However - issue is that there are TWO of these extenders internally, so port forwarding will not work in this case (would only allow one extender to communicate). Other issue is that these extenders cannot be managed - we cannot log into them and set a static IP. They can be 'semi' static via DHCP/MAC settings to give consistent IP however if need be.


Looking for the proper config code to allow for this traffic to be passed through ASA device to the internal extenders to allow for proper communication.
The client has very limited needs, the config changes for these VZ extenders are really the highest priority for them, so we can modify/turn off anything necessary to make this work, existing config does not matter.

Thank you very much for any config examples and guidance you could provide.

Labels:
0 Helpful
3 Replies 3

ALIAOF_
Level 6
Level 6

‎02-12-2013 01:31 PM

Under:

policy-map global_policy

class inspection_default

try adding

inspect ipsec-pass-throu

Also create ACL's so like if your internal hosts (Verizon devices are 192.168.1.10 and 192.168.1.20)

access-list outside_in extended permit udp 500 host x.x.x.x host 192.168.1.10

access-list outside_in extended permit udp 4500 host x.x.x.x host 192.168.1.10

access-list outside_in extended permit udp 500 host x.x.x.x host 192.168.1.20

access-list outisde_in extended permit udp 4500 host x.x.x.x host 192.168.1.20

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169

james.king
Level 1
Level 1
In response to ALIAOF_

‎02-13-2013 10:11 AM

Hey - Thank you Mohammed. This looks promising.

The article covers port 500 and the ESP and AH protocols, do you think port 4500 will need to be specifically defined anywhere in the map (aside from the ACL), or will the protocol exceptions naturally allow this port?

0 Helpful

ALIAOF_
Level 6
Level 6
In response to james.king

‎02-13-2013 12:25 PM

Since you are not NATing I believe that should be fine.  But you can test that out if you look at the log.  If 4500 is still being used and you see denies on it then you can open it up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card