VPN pass-through inside->outside ASA5500

Answered Question

Hi


My problem is as follows:


Users with Nortel vpn clients wants to connect to a vpn server on the internet, through a Cisco ASA 5500 firewall.


They can connect, but the login stops up. ASA log is saying the following:


" regular translation failed for protocol 50 src Intern:10.162.14.100 dst Internet:217.*.*.* "


PAT is in use on the WAN/Internet interface. I have attached an edited version of the config.


Any tip on what i can do to get the transparency i need to allow these clients through the wall?


Best regards

O.V



Attachment: 
Correct Answer by Jason Gervia about 9 years 3 months ago

O.V.,


There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.


Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.


Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.


You can read more on NAT traversal here:

http://en.wikipedia.org/wiki/NAT_traversal


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Jason Gervia Mon, 04/21/2008 - 06:18
User Badges:
  • Cisco Employee,

O.V.,


There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.


Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.


Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.


You can read more on NAT traversal here:

http://en.wikipedia.org/wiki/NAT_traversal


pcslalan1 Fri, 07/18/2008 - 22:42
User Badges:

I agree, port 500 and port 4500 are the ports usually which needs to be allowed on the upstream firewall if its doing the NAT.


Both are UDP, so i think allowing them should resolve the issue.


Actions

This Discussion