cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2897
Views
0
Helpful
3
Replies

IPSec Pass Through on ASA

Vigil_N_E
Level 1
Level 1

I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.

Any thoughts?

3 Replies 3

rizwanr74
Level 7
Level 7

Hi Nicholas,

Are you doing static-nat for soure-vpn peer address?  This static-nat can be natted to same address or to different address as long as the remote-vpn peer reconize your soure-vpn peer address is being reachable.

Please let me know.

Look forward to hear from you.

Thanks

Rizwan Rafeek

The third party firewall that is behind the ASA is being NATed to the same public IP address as everything else behind the ASA. The remote vpn device has been configured to expect the public IP and respond to the public IP but the response traffic is dropped at the ASA and never makes it back to the firewall behind the ASA.

Hi Nicholas,

Dynamic nat will not work, you need static-nat.

thanks

Rizwan Rafeek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: