05-30-2011 12:25 PM - edited 02-21-2020 05:22 PM
We have Cisco ASA 5505 and an internal user (behind NAT) needs to connect via VPN to an external company. I just cannot get this to work. I have enabled IPsec Pass Through from ASDM Configuration --> Firewall --> Service Policy Rules --> Edit Service Policy Rule --> Rule Actions --> tapped IPsec Pass Through
I have tried to find some info from the log but all i get is this message: IP = [remote gateway ip] Invalid Packet Detected!"
I cant find anything that is blocked from the log.
Please help
05-30-2011 05:38 PM
You would need to check with the remote/external VPN gateway to see if they support NAT-T (ie: encapsulating ESP packet in UDP or TCP).
Because ESP is a protocol, not a TCP or UDP ports, it will not be able to pass through a PAT device. Therefore, the VPN peer gateway needs to have NAT-T enabled so the ESP packet gets encapsulated in either UDP or TCP.
A test to see if the VPN works is to configure static 1:1 NAT for the internal host that you are testing to VPN from.
05-30-2011 09:28 PM
Thank you Jennifer for your answer. Remote gateway doesn't support nat-t so i have to go with 1:1 nat with this.
There is one thing that I dont truly understand. With the old firewall we had the vpn was working without 1:1 nat with same remote vpn peer gateway. Nothing has changed exept old Zyxel Zywall died and it was replaced with ASA 5505...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide