Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
5
Helpful
3
Replies

VPN pass-through inside->outside ASA5500

Go to solution
ov
Level 1
Level 1

‎04-21-2008 01:22 AM - edited ‎02-21-2020 01:59 AM

Hi

My problem is as follows:

Users with Nortel vpn clients wants to connect to a vpn server on the internet, through a Cisco ASA 5500 firewall.

They can connect, but the login stops up. ASA log is saying the following:

" regular translation failed for protocol 50 src Intern:10.162.14.100 dst Internet:217.*.*.* "

PAT is in use on the WAN/Internet interface. I have attached an edited version of the config.

Any tip on what i can do to get the transparency i need to allow these clients through the wall?

Best regards

O.V

Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee

‎04-21-2008 06:18 AM

O.V.,

There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.

Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.

Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.

You can read more on NAT traversal here:

http://en.wikipedia.org/wiki/NAT_traversal

View solution in original post

3 Replies 3

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee

‎04-21-2008 06:18 AM

O.V.,

There is nothing really to do here. ESP uses IP Protocol 50 and is *not* TCP, which means it cannot be PATd.

Typically what happens is that the client and the server realize that one of them is being NATTed (by comparing hashes of the IP addresses each is sending and the IP they are getting), and negotiate NAT-traversal.

Typically if they don't negotiate NAT-traversal, that means one end or the other doesn't have it turned on. Have your client and server guys check that out to see what is going on, and make sure you have UDP 4500 allowed through your firewall.

You can read more on NAT traversal here:

http://en.wikipedia.org/wiki/NAT_traversal

Go to solution
ov
Level 1
Level 1
In response to Jason Gervia

‎04-21-2008 07:44 AM

I've landed on that also. Looking on the client and server side now.

Thank You

0 Helpful

Go to solution
pcslalan1
Level 1
Level 1
In response to ov

‎07-18-2008 10:42 PM

I agree, port 500 and port 4500 are the ports usually which needs to be allowed on the upstream firewall if its doing the NAT.

Both are UDP, so i think allowing them should resolve the issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card