ASA ESP issue

Unanswered Question
Mar 21st, 2008
User Badges:

We have a new ASA, there are no firewall rules associated to the inside interface. Our finance department has to run the AT&T net client to connect with Medicare, this now fails. On the ASA I get an error that says 3|Mar 20 2008|10:41:39|305006|12.64.175.2||regular translation creation failed for protocol 50 src inside:10.0.50.30 dst outside:12.64.175.2


NAT-T is on the firewall and I also tried the inspect ipsec pass through to no avail. Any other suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Fri, 03/21/2008 - 08:02
User Badges:
  • Cisco Employee,

on the remote VPN server either enable NAT-T or on create a 1-1 static on the firewall opening ESP and UDP-500 on the firewall

boshardy1 Fri, 03/21/2008 - 08:53
User Badges:

I don't have control of the remote end, it's medicare. Is there anything else I can do on my end to make this work short of doing static NAT's? It used to work on my netscreen firewall somehow only since switching to the ASA has it broke.

JORGE RODRIGUEZ Fri, 03/21/2008 - 09:47
User Badges:
  • Green, 3000 points or more

In your VPN client,ATT connection properties, transport tab, where you have checked off if you do Enable Transparent Tunneling choose Ipsec over UDP (NAT/PAT).


abinjola Fri, 03/21/2008 - 10:06
User Badges:
  • Cisco Employee,

Jorge..this would still not work..by default enable transparent tunneling is enabled..here the problem is since the remote server doesn't want to enable NAT-TRansparency therefore the ESP packet would never be encapsulated over udp 4500 and there ESP would not be able to PAT...


only way to get this working is 1-1 static or NAT traversal

JORGE RODRIGUEZ Fri, 03/21/2008 - 10:33
User Badges:
  • Green, 3000 points or more

completely agree, you are right.. wander what happened to my cup of coffey..

cisco24x7 Fri, 03/21/2008 - 12:50
User Badges:
  • Silver, 250 points or more

One of the things to keep in mind when switching from one firewall vendor, Juniper,

to another firewall vendor, Cisco, is that

different device can handle things

differently. Devices such as juniper or

netscreen has the ability to do "IPSec

pass-through" that devices such as Pix or

ASA can NOT.


That being said, if you replace the ASA

with a Cisco IOS router with the ability

to do this:


ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0


where 192.168.1.1 is the host beind the router.


That will enable the client to connect via

ESP.


It is very unfortunate that ASA can not do

this.


CCIE Security

abinjola Fri, 03/21/2008 - 13:14
User Badges:
  • Cisco Employee,

"IPSec pass-through" that devices such as Pix or

ASA can NOT.


ASA can do IPSEC pass through but you cannot port address translate an ESP packet, thats the reason NAT-Transparency came in picture which means if VPN server has it enabled it detects the client to be behind PAT device and the clients starts encapsulating ESP over UDP which can PATTED now...


hope it answers !

cisco24x7 Fri, 03/21/2008 - 13:17
User Badges:
  • Silver, 250 points or more

what I meant to say is:


ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0


Can ASA do this?

jan.nielsen Sat, 03/22/2008 - 18:34
User Badges:
  • Gold, 750 points or more

Oh, and also, run 7.2 software, i think i remember something about some bugs with the ipsec inspect before this release.

Actions

This Discussion