Re: Allow ESP on ASA

NAVIN PARWAL · ‎12-14-2006

Folks,

I have an Pix in my company. When a router behind it sets up a vpn tunnel to a concentrator on the internet using ezvpn configuration the connection is built but i can not pass any traffic throught the PIX and have to permit esp to pass traffic through it. Does anyone know why I have to do this. I though when the concentrator is programmed for ipsec over udp it encapsulates the esp packets into udp so that they can traverse a firewall.

Thanks

Parwal

scottosan · ‎12-15-2006

Both devices have to support NAT-Traversal. What IOS version do you have on the routers?

NAVIN PARWAL · ‎12-15-2006

I am going from a router to a concentrator. Router is running 12.4 and the concentrator is running the latest code.. I made sure that ipsec over udp was enabled on the concentrator for that group. Anything I am missing? do i need to enable nat-t o the router? may be a fixup or something on the pix?

Thanks

5220 · ‎01-03-2007

First of all, you need to make sure you haven't created a site-to-site connection :)) . That will use ESP.

Second, if your traffic is not NATed, the IKE will decide not to use transparency.

On the PIX you need to have opened ICMP, UDP 500, 4500, 10000, and ESP if not NAT.

NAT-T is checked globally on the Concentrator, while NAToverUDP (usually over 10000) is checked on a per group basis. NAT-T takes precendence and will be inforced if checked.

If this helped, please rate.