Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Pass Through on ASA

I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.

Any thoughts?

Everyone's tags (5)
3 REPLIES

IPSec Pass Through on ASA

Hi Nicholas,

Are you doing static-nat for soure-vpn peer address?  This static-nat can be natted to same address or to different address as long as the remote-vpn peer reconize your soure-vpn peer address is being reachable.

Please let me know.

Look forward to hear from you.

Thanks

Rizwan Rafeek

New Member

IPSec Pass Through on ASA

The third party firewall that is behind the ASA is being NATed to the same public IP address as everything else behind the ASA. The remote vpn device has been configured to expect the public IP and respond to the public IP but the response traffic is dropped at the ASA and never makes it back to the firewall behind the ASA.

IPSec Pass Through on ASA

Hi Nicholas,

Dynamic nat will not work, you need static-nat.

thanks

Rizwan Rafeek

2012
Views
0
Helpful
3
Replies