Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA and allowing IP Protocol 50 [ESP]

I currently have a ASA and behind the ASA is a router. This is not our router but a venders. The router establishes a VPN tunnel to their main HQ. I am having a problem setting up the ASA. We are not natting the router so it has an internal ip address.

The vender gave me te following instructions.

1) open udp-500 and udp-4500 (I have done this)

2) if the router isnt nat'ed then we need IPSec Pass-though (IP Proto 50 [ESP]) enabled.

I am having a hard time trying to figure out who to enable it.

Is it on by default?


Re: ASA and allowing IP Protocol 50 [ESP]

One quick question first... Will this device ONLY be doing outbound communication? If it is bidirectional, then you will need a static translation and the appropriate inbound ACLs.

Otherwise, try the following ACLs on whatever interface is local to the device.

(This is an example you must insert your own ips)

access-list outbound_access extended permit esp host host

access-list outbound_access extended permit udp host host eq 500

access-list outbound_access extended permit udp host host eq 4500

Pls rate if this helps