asa esp policy

Unanswered Question
Feb 1st, 2007

Pix 6.3 had a fixup of esp-ike that worked with pat. It appears that this is gone as of 7.0 code. It only appears to work with nat?

Am I correct.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bthibode Sat, 02/03/2007 - 18:33

Version 7.0 will work with PAT. The fixup is gone, however.

Enhanced VPN NAT Transparency:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70_rn/pix_70rn.htm#wp162358

The fixup protocol esp-ike command is not supported in PIX Security appliance Version 7.0. This feature is suited for the PIX 501 and 506/506E platforms, which PIX Security appliance Version 7.0 does not currently support. The workaround requires that the client and head-end be NAT-T capable.

All you have to do is enable nat-t on both ends of the tunnel.

Please rate if this helps!

whanson Mon, 02/05/2007 - 12:08

Thx, the issue is that we are going to the ASA5504 for home use and one user must access contivity through the home ASA. W/O ike/esp fixup, this is no longer possible.

Bill

Actions

This Discussion