• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1629
  • Last Modified:

cisco asa 5505 passing through port 4500 for ipsec server

Hello all and thank you for your time.

I have a barracuda ssl vpn which has the capabilities of creating a IPSEC server.  in the documentation for setting it up it states that I must open ports 500 and 4500 in my firewall.

I have a cisco asa 5505 and I have open these ports.  I am trying to connect using my android phone but am unsuccessful.  when I run a packet trace for port 4500 I receive this

bad-ipsec-natt Bad IPSEC NATT packet This counter will increment when the security appliance
receives a packet on an IPSec connection that has negotiated
NAT-T, but the packet is not addressed to the NAT-T UDP
destination port of 4500 or had an invalid payload length.
Recommendation: Analyze your network traffic to
determine the source of the NAT-T traffic.

port 500 does not appear to have any issuses connecting only port 4500.

can anyone help i'm lost on where to go from here.

  • 4
  • 3
1 Solution
Ernie BeekExpertCommented:
So you're using NAT traversal to go through the ASA to the barracuda. You need to setup the client to use connect using NAT-T as well.
jrojas1213Author Commented:
well forgive me if i'm asking this incorrectly because I am still a novice when it comes to networking but my question is does NAT-T have to be enabled on my ASA ?  or is just opening the port substantial enought to work.  there is very litle to configure on my mobile device (android) so it doesnt appear to have the ability to configure NAT-T on the device.
Ernie BeekExpertCommented:
Are you using a built-in VPN app?
I don't think you need to enable NAT-T on the ASA (that's only when the ASA itself is setting up a VPN through a NAT device).
One other thing, you did open UDP port 4500 on the ASA (and not TCP)?
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

jrojas1213Author Commented:
i am using the built in VPN application on my samsung Gaalaxy S3.
i did open port UPD\4500  not TCP
Ernie BeekExpertCommented:

but the packet is not addressed to the NAT-T UDP destination port of 4500 or had an invalid payload length.

Do you get this only when you do a packet trace or as well when you try to set up the VPN?
I've tried to set up VPNs using android devices but 9 out of 10 times I did not work. The android client is not quite mature yet. That might be an issue as well (looking at 'invalid payload length').
jrojas1213Author Commented:
i only get that when I run the packet trace.

I am still trying to see if I can get a log on the android side to see what is going on its end.

I'm starting to think its the android device as well.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now