Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
ov
New Member

VPN pass-through inside->outside ASA5500

Hi

My problem is as follows:

Users with Nortel vpn clients wants to connect to a vpn server on the internet, through a Cisco ASA 5500 firewall.

They can connect, but the login stops up. ASA log is saying the following:

" regular translation failed for protocol 50 src Intern:10.162.14.100 dst Internet:217.*.*.* "

PAT is in use on the WAN/Internet interface. I have attached an edited version of the config.

Any tip on what i can do to get the transparency i need to allow these clients through the wall?

Best regards

O.V

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN pass-through inside->outside ASA5500

O.V.,

There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.

Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.

Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.

You can read more on NAT traversal here:

http://en.wikipedia.org/wiki/NAT_traversal

3 REPLIES
Cisco Employee

Re: VPN pass-through inside->outside ASA5500

O.V.,

There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.

Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.

Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.

You can read more on NAT traversal here:

http://en.wikipedia.org/wiki/NAT_traversal

ov
New Member

Re: VPN pass-through inside->outside ASA5500

I've landed on that also. Looking on the client and server side now.

Thank You

New Member

Re: VPN pass-through inside->outside ASA5500

I agree, port 500 and port 4500 are the ports usually which needs to be allowed on the upstream firewall if its doing the NAT.

Both are UDP, so i think allowing them should resolve the issue.

370
Views
5
Helpful
3
Replies
CreatePlease to create content