Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA and allowing IP Protocol 50 [ESP]

I currently have a ASA and behind the ASA is a router. This is not our router but a venders. The router establishes a VPN tunnel to their main HQ. I am having a problem setting up the ASA. We are not natting the router so it has an internal ip address.

The vender gave me te following instructions.

1) open udp-500 and udp-4500 (I have done this)

2) if the router isnt nat'ed then we need IPSec Pass-though (IP Proto 50 [ESP]) enabled.

I am having a hard time trying to figure out who to enable it.

Is it on by default?

1 REPLY
Silver

Re: ASA and allowing IP Protocol 50 [ESP]

One quick question first... Will this device ONLY be doing outbound communication? If it is bidirectional, then you will need a static translation and the appropriate inbound ACLs.

Otherwise, try the following ACLs on whatever interface is local to the device.

(This is an example you must insert your own ips)

access-list outbound_access extended permit esp host 192.168.1.1 host 1.1.1.1

access-list outbound_access extended permit udp host 192.168.1.1 host 1.1.1.1 eq 500

access-list outbound_access extended permit udp host 192.168.1.1 host 1.1.1.1 eq 4500

Pls rate if this helps

6395
Views
10
Helpful
1
Replies