Solved: Re: ISR 4321 - IPSec Passthrough - Cisco Community

3796

Views

20

Helpful

13

Replies

Guys,

Recently my costumer asked me to change hardware...

Now we have this network:

LAN - ASA 5505 (ip1) ---- (ip2) RV320 (static isp ip) ---- INTERNET ---- (unstatic isp ip) ISR4321 - LAN

In this moment the RV320 have the functionality for IPSec Pass Through... which that means that the ASA 5505 ip 1 interface is the same as the static isp ip of the RV320.

How can i do it, if i change RV320 by another ISR4321??

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Yes this is a bug and the workaround is to remove all nat statement:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus49353/?referring_site=bugquickviewredir

I faced it few weeks ago :-)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

13 Replies 13

Hi

I guess the ASA ip interconnect with RV320 is a private IP right?
If so, on ISR4321, you will add a ip nat and open ports for IPSEC tunnel:
udp 500
esp 50
udp 4500

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes, Francesco...

ASA ip interconnect with RV320 is a private IP network.
IP NAT between the IP public and private, correct?

I'll try your solution... if it works i'll rate it as correct with no doubt!

Thanks

Hi
The command will be ip nat but called port forwarding if you want.
You need to redirect your ipsec port from new isr to your asa.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,
Thanks a lot! Yes, calling it port forwarding it's more understandable...

well, i do the next command:
ip nat inside source static 192.168.1.2 interface Cellular0/1/0

the problem is, that forward everything... how can i just forward udp4500, udp500?

thanks again!

Hi

Here is the command for doing that per ports:
ip nat inside source static udp 192.168.1.2 4500 interface Cellular0/1/0 4500
ip nat inside source static udp 192.168.1.2 500 interface Cellular0/1/0 500

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes.. i've done that.;)
Now, got another issue with udp4500.

When i write the command, get the following error:
"#4500 port in use by system"

You should remove all nat configured, clear the nat translation (clear ip nat trans *) and then add it back using udp port only
It should work

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I've done that... and it's the same.
i think this is a bug......

Yes this is a bug and the workaround is to remove all nat statement:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus49353/?referring_site=bugquickviewredir

I faced it few weeks ago :-)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

It works!

Yeah... when we face the same problems, it's easyer :)

I do another thing.. i rebooted the router before clear all nat statements.

Thanks a lot Dude for your patient! :D

:-) no problem, I'm here to help

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Why not plug the Internet circuit directly into the ASA? Why bother with an RV320 at all?

Because client do not want that :$ don't ask me why....

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community