i have a particular problem with my VPN concentrator behind PIX. i am doing a PAT and all traffic goes out from everywhere being PATed properly. except my esp (protocol 50) traffic. i get this message. even though i can get to the internet using the same inside IP that the error message is talking about (show that the PAT works )
ESP does not use ports like UDP or TCP, devices doing PAT cannot handle it easily.
ESP will pass through devices doing PAT if the ESP packet is first encapsulated in UDP; UDP has ports, and the PAT-ing device knows how to translate it. My advice is to enable NAT transversal in your VPN concentrator.
Just curious how are you receiving VPN sessions initiated from Internet? The usual setup involves a separate static translation in firewall for VPN concentrator.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...