IPSec VPN to device through a Watchguard device

[JayLSB]

Hoping you guys may be able to shed some light on what I'm seeing here. We've got a client that we've deployed a Cisco ASA device to for VPN connectivity to our datacenter. Due to their security policies, we had to insert the public interface of the device in a DMZ behind their Watchguard firewall using a 1 to 1 NAT. This is not that uncommon and provided the proper allowances are made on the firewall this is typically not an issue. What we're seeing is a problem with the isakmp exchange. I see the packets leaving my head end destined for the public IP of the remote peer with a UDP source port 500 and a UDP Dest port 500 (expected) however in the log on the watchguard device, I'm seeing this traffic getting blocked, and it is showing the source UDP Port as 500 but the destination port is varying between 473 and 409, therefore it's being blocked by the watchguard and my tunnels are unable to re-key. What's interesting is the tunnels initially have successful phase 1 and phase 2 negotiations, it's only after about 15 minutes that I begin seeing this issue. Any ideas what may be causing this? The Watchguard doing PAT for some reason? I'm very unfamiliar with Watchguard, we're a Cisco shop and as I said our device sits behind the clients Watchguard. Any ideas would be greatly appreciated.