Re: Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP C
I have encountered a very similar problem. Some customers and partners require us to use a remote access VPN to support them. When the firewall was running 8.2(5) it worked fine. It now requires some annoying hacks to make it work on 8.4(3). My least favorite of these hacks is a 'magical' NAT that prevents inside hosts from stealing port 500.
Here is what I did and it seems to be working (but is definitely ugly):
object network VPN-endpoint
description Prevent inside hosts from stealing VPN endpoint with PAT
nat (any,outside) static interface service udp isakmp isakmp
access-list ipsecpassthroughacl extended permit udp any any eq isakmp
access-list ipsecpassthroughacl extended permit object-group TCPUDP any any eq 4500
match access-list ipsecpassthroughacl
policy-map type inspect ipsec-pass-thru iptmap
inspect ipsec-pass-thru iptmap
service-policy inspection_policy interface outside
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...