• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1615
  • Last Modified:

cisco asa 5505 passing through port 4500 for ipsec server

Hello all and thank you for your time.

I have a barracuda ssl vpn which has the capabilities of creating a IPSEC server.  in the documentation for setting it up it states that I must open ports 500 and 4500 in my firewall.

I have a cisco asa 5505 and I have open these ports.  I am trying to connect using my android phone but am unsuccessful.  when I run a packet trace for port 4500 I receive this

bad-ipsec-natt Bad IPSEC NATT packet This counter will increment when the security appliance
receives a packet on an IPSec connection that has negotiated
NAT-T, but the packet is not addressed to the NAT-T UDP
destination port of 4500 or had an invalid payload length.
Recommendation: Analyze your network traffic to
determine the source of the NAT-T traffic.

port 500 does not appear to have any issuses connecting only port 4500.

can anyone help i'm lost on where to go from here.

Thanks
0
jrojas1213
Asked:
jrojas1213
  • 4
  • 3
1 Solution
 
Ernie BeekCommented:
So you're using NAT traversal to go through the ASA to the barracuda. You need to setup the client to use connect using NAT-T as well.
0
 
jrojas1213Author Commented:
well forgive me if i'm asking this incorrectly because I am still a novice when it comes to networking but my question is does NAT-T have to be enabled on my ASA ?  or is just opening the port substantial enought to work.  there is very litle to configure on my mobile device (android) so it doesnt appear to have the ability to configure NAT-T on the device.
0
 
Ernie BeekCommented:
Are you using a built-in VPN app?
I don't think you need to enable NAT-T on the ASA (that's only when the ASA itself is setting up a VPN through a NAT device).
One other thing, you did open UDP port 4500 on the ASA (and not TCP)?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
jrojas1213Author Commented:
i am using the built in VPN application on my samsung Gaalaxy S3.
i did open port UPD\4500  not TCP
0
 
Ernie BeekCommented:
Ok.

but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.

Do you get this only when you do a packet trace or as well when you try to set up the VPN?
I've tried to set up VPNs using android devices but 9 out of 10 times I did not work. The android client is not quite mature yet. That might be an issue as well (looking at 'invalid payload length').
0
 
jrojas1213Author Commented:
i only get that when I run the packet trace.

I am still trying to see if I can get a log on the android side to see what is going on its end.

I'm starting to think its the android device as well.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now