ASA ESP issue

boshardy1 · ‎03-21-2008

We have a new ASA, there are no firewall rules associated to the inside interface. Our finance department has to run the AT&T net client to connect with Medicare, this now fails. On the ASA I get an error that says 3|Mar 20 2008|10:41:39|305006|12.64.175.2||regular translation creation failed for protocol 50 src inside:10.0.50.30 dst outside:12.64.175.2

NAT-T is on the firewall and I also tried the inspect ipsec pass through to no avail. Any other suggestions?

abinjola · ‎03-21-2008

on the remote VPN server either enable NAT-T or on create a 1-1 static on the firewall opening ESP and UDP-500 on the firewall

boshardy1 · ‎03-21-2008

I don't have control of the remote end, it's medicare. Is there anything else I can do on my end to make this work short of doing static NAT's? It used to work on my netscreen firewall somehow only since switching to the ASA has it broke.

JORGE RODRIGUEZ · ‎03-21-2008

In your VPN client,ATT connection properties, transport tab, where you have checked off if you do Enable Transparent Tunneling choose Ipsec over UDP (NAT/PAT).

Jorge Rodriguez

abinjola · ‎03-21-2008

Jorge..this would still not work..by default enable transparent tunneling is enabled..here the problem is since the remote server doesn't want to enable NAT-TRansparency therefore the ESP packet would never be encapsulated over udp 4500 and there ESP would not be able to PAT...

only way to get this working is 1-1 static or NAT traversal

JORGE RODRIGUEZ · ‎03-21-2008

completely agree, you are right.. wander what happened to my cup of coffey..

Jorge Rodriguez

cisco24x7 · ‎03-21-2008

One of the things to keep in mind when switching from one firewall vendor, Juniper,

to another firewall vendor, Cisco, is that

different device can handle things

differently. Devices such as juniper or

netscreen has the ability to do "IPSec

pass-through" that devices such as Pix or

ASA can NOT.

That being said, if you replace the ASA

with a Cisco IOS router with the ability

to do this:

ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0

where 192.168.1.1 is the host beind the router.

That will enable the client to connect via

ESP.

It is very unfortunate that ASA can not do

this.

CCIE Security

abinjola · ‎03-21-2008

"IPSec pass-through" that devices such as Pix or

ASA can NOT.

ASA can do IPSEC pass through but you cannot port address translate an ESP packet, thats the reason NAT-Transparency came in picture which means if VPN server has it enabled it detects the client to be behind PAT device and the clients starts encapsulating ESP over UDP which can PATTED now...

hope it answers !

cisco24x7 · ‎03-21-2008

what I meant to say is:

ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0

Can ASA do this?

jan.nielsen · ‎03-22-2008

ASA does support IPSec pass-through.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169

jan.nielsen · ‎03-22-2008

Oh, and also, run 7.2 software, i think i remember something about some bugs with the ipsec inspect before this release.