Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12264
Views
10
Helpful
1
Replies

ASA and allowing IP Protocol 50 [ESP]

D0nprintup_2
Level 1
Level 1

‎01-10-2007 09:15 AM - edited ‎02-21-2020 01:22 AM

I currently have a ASA and behind the ASA is a router. This is not our router but a venders. The router establishes a VPN tunnel to their main HQ. I am having a problem setting up the ASA. We are not natting the router so it has an internal ip address.

The vender gave me te following instructions.

1) open udp-500 and udp-4500 (I have done this)

2) if the router isnt nat'ed then we need IPSec Pass-though (IP Proto 50 [ESP]) enabled.

I am having a hard time trying to figure out who to enable it.

Is it on by default?

0 Helpful
1 Reply 1

jwalker
Level 3
Level 3

‎01-10-2007 09:44 AM

One quick question first... Will this device ONLY be doing outbound communication? If it is bidirectional, then you will need a static translation and the appropriate inbound ACLs.

Otherwise, try the following ACLs on whatever interface is local to the device.

(This is an example you must insert your own ips)

access-list outbound_access extended permit esp host 192.168.1.1 host 1.1.1.1

access-list outbound_access extended permit udp host 192.168.1.1 host 1.1.1.1 eq 500

access-list outbound_access extended permit udp host 192.168.1.1 host 1.1.1.1 eq 4500

Pls rate if this helps

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card