Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPSec Pass Through on ASA

I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.

Any thoughts?

5 REPLIES

IPSec Pass Through on ASA

On your outside access-list (inbound) make sure you're allowing the following ports to your third party firewall.

IP 50

UDP 500

UDP 4500

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
New Member

IPSec Pass Through on ASA

Already allowing each of those in the outside access-list (inbound).

IPSec Pass Through on ASA

Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?

Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..

packet-tracer input outside udp 500 500 detail

If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?

Please reply with packet-tracer results.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
New Member

IPSec Pass Through on ASA

For would I put the internal address or the puiblic NAT address?

IPSec Pass Through on ASA

You would put the NAT address, which brings up another point.. this needs to be NATed to a dedicated global address (via static nat).

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
588
Views
0
Helpful
5
Replies
CreatePlease to create content