Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow ESP on ASA

Folks,

I have an Pix in my company. When a router behind it sets up a vpn tunnel to a concentrator on the internet using ezvpn configuration the connection is built but i can not pass any traffic throught the PIX and have to permit esp to pass traffic through it. Does anyone know why I have to do this. I though when the concentrator is programmed for ipsec over udp it encapsulates the esp packets into udp so that they can traverse a firewall.

Thanks

Parwal

3 REPLIES
New Member

Re: Allow ESP on ASA

Both devices have to support NAT-Traversal. What IOS version do you have on the routers?

New Member

Re: Allow ESP on ASA

I am going from a router to a concentrator. Router is running 12.4 and the concentrator is running the latest code.. I made sure that ipsec over udp was enabled on the concentrator for that group. Anything I am missing? do i need to enable nat-t o the router? may be a fixup or something on the pix?

Thanks

Re: Allow ESP on ASA

First of all, you need to make sure you haven't created a site-to-site connection :)) . That will use ESP.

Second, if your traffic is not NATed, the IKE will decide not to use transparency.

On the PIX you need to have opened ICMP, UDP 500, 4500, 10000, and ESP if not NAT.

NAT-T is checked globally on the Concentrator, while NAToverUDP (usually over 10000) is checked on a per group basis. NAT-T takes precendence and will be inforced if checked.

If this helped, please rate.

665
Views
0
Helpful
3
Replies
CreatePlease login to create content