Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5754
Views
0
Helpful
2
Replies

How do I allow IPsec through Cisco ASA 5505

kepademus
Level 1
Level 1

‎05-30-2011 12:25 PM - edited ‎02-21-2020 05:22 PM

We have Cisco ASA 5505 and an internal user (behind NAT) needs to connect via VPN to an external company. I just cannot get this to work. I have enabled IPsec Pass Through from ASDM Configuration --> Firewall --> Service Policy Rules --> Edit Service Policy Rule --> Rule Actions --> tapped IPsec Pass Through

I have tried to find some info from the log but all i get is this message: IP = [remote gateway ip] Invalid  Packet Detected!"

I cant find anything that is blocked from the log.

Please help

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-30-2011 05:38 PM

You would need to check with the remote/external VPN gateway to see if they support NAT-T (ie: encapsulating ESP packet in UDP or TCP).

Because ESP is a protocol, not a TCP or UDP ports, it will not be able to pass through a PAT device. Therefore, the VPN peer gateway needs to have NAT-T enabled so the ESP packet gets encapsulated in either UDP or TCP.

A test to see if the VPN works is to configure static 1:1 NAT for the internal host that you are testing to VPN from.

0 Helpful

kepademus
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2011 09:28 PM

Thank you Jennifer for your answer. Remote gateway doesn't support nat-t so i have to go with 1:1 nat with this.

There is one thing that I dont truly understand. With the old firewall we had the vpn was working without 1:1 nat with same remote vpn peer gateway. Nothing has changed exept old Zyxel Zywall died and it was replaced with ASA 5505...

0 Helpful
Customers Also Viewed These Support Documents