Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA ESP issue

We have a new ASA, there are no firewall rules associated to the inside interface. Our finance department has to run the AT&T net client to connect with Medicare, this now fails. On the ASA I get an error that says 3|Mar 20 2008|10:41:39|305006|12.64.175.2||regular translation creation failed for protocol 50 src inside:10.0.50.30 dst outside:12.64.175.2

NAT-T is on the firewall and I also tried the inspect ipsec pass through to no avail. Any other suggestions?

10 REPLIES
Cisco Employee

Re: ASA ESP issue

on the remote VPN server either enable NAT-T or on create a 1-1 static on the firewall opening ESP and UDP-500 on the firewall

New Member

Re: ASA ESP issue

I don't have control of the remote end, it's medicare. Is there anything else I can do on my end to make this work short of doing static NAT's? It used to work on my netscreen firewall somehow only since switching to the ASA has it broke.

Re: ASA ESP issue

In your VPN client,ATT connection properties, transport tab, where you have checked off if you do Enable Transparent Tunneling choose Ipsec over UDP (NAT/PAT).

Cisco Employee

Re: ASA ESP issue

Jorge..this would still not work..by default enable transparent tunneling is enabled..here the problem is since the remote server doesn't want to enable NAT-TRansparency therefore the ESP packet would never be encapsulated over udp 4500 and there ESP would not be able to PAT...

only way to get this working is 1-1 static or NAT traversal

Re: ASA ESP issue

completely agree, you are right.. wander what happened to my cup of coffey..

Silver

Re: ASA ESP issue

One of the things to keep in mind when switching from one firewall vendor, Juniper,

to another firewall vendor, Cisco, is that

different device can handle things

differently. Devices such as juniper or

netscreen has the ability to do "IPSec

pass-through" that devices such as Pix or

ASA can NOT.

That being said, if you replace the ASA

with a Cisco IOS router with the ability

to do this:

ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0

where 192.168.1.1 is the host beind the router.

That will enable the client to connect via

ESP.

It is very unfortunate that ASA can not do

this.

CCIE Security

Cisco Employee

Re: ASA ESP issue

"IPSec pass-through" that devices such as Pix or

ASA can NOT.

ASA can do IPSEC pass through but you cannot port address translate an ESP packet, thats the reason NAT-Transparency came in picture which means if VPN server has it enabled it detects the client to be behind PAT device and the clients starts encapsulating ESP over UDP which can PATTED now...

hope it answers !

Silver

Re: ASA ESP issue

what I meant to say is:

ip nat inside source static udp 192.168.1.1 500 interface F0/0 500

ip nat inside source static esp 192.168.1.1 interface F0/0

Can ASA do this?

Re: ASA ESP issue

Re: ASA ESP issue

Oh, and also, run 7.2 software, i think i remember something about some bugs with the ipsec inspect before this release.

1787
Views
0
Helpful
10
Replies