cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2930
Views
0
Helpful
1
Replies

Setup of IPSec Passthrough

jialoh
Level 1
Level 1

Hi All,

I would like to get some help on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.

So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:

29-Mar-12 4-09-43 PM.png

I then added the following rules on the inside-in ACL:

However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.

For isakmp:

29-Mar-12 4-15-05 PM.png

For ESP:

29-Mar-12 4-17-21 PM.png

Seems like the nat rule is drawing my ESP traffic, can any one point me in the correct direction?

Kind Regards,

Jia Wei

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Have you tried an actual VPN Client connection through the ASA from the guest network? Or is the problem only based on testing this thing with packet-tracer on ASDM side?

I dont remember ever opening ESP/HA for Cisco VPN Client traffic

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: