https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960102#M440556 <P>Hello Support Community,</P><P></P><P>I have a problem with VPN Passthrough with a NCP Client and Cisco ASA 5520 Version 8.4(3)</P><P></P><P>A VPN IPSec Connection with a Cisco VPN Client through the Cisco ASA works fine.</P><P></P><P>The NCP Client establish a connection with Source and Destination UDP 4500 to the remote VPN Gateway and the connection setup is aborted.</P><P>If I establish a connection with a NCP Client on a Virtual Machine with NAT , the connection setup works fine.</P><P>A connection setup under VM in Bridge mode is also aborted.</P><P></P><P>The VPN Passthrough problem with the NCP Client started with the Update to version 8.4(3)</P><P>The connection worked very well until version 8.2(5).</P><P></P><P>Someone knows the problem?</P> Mon, 11 Mar 2019 23:21:58 GMT stephan.brunst 2019-03-11T23:21:58Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960102#M440556 <P>Hello Support Community,</P><P></P><P>I have a problem with VPN Passthrough with a NCP Client and Cisco ASA 5520 Version 8.4(3)</P><P></P><P>A VPN IPSec Connection with a Cisco VPN Client through the Cisco ASA works fine.</P><P></P><P>The NCP Client establish a connection with Source and Destination UDP 4500 to the remote VPN Gateway and the connection setup is aborted.</P><P>If I establish a connection with a NCP Client on a Virtual Machine with NAT , the connection setup works fine.</P><P>A connection setup under VM in Bridge mode is also aborted.</P><P></P><P>The VPN Passthrough problem with the NCP Client started with the Update to version 8.4(3)</P><P>The connection worked very well until version 8.2(5).</P><P></P><P>Someone knows the problem?</P> Mon, 11 Mar 2019 23:21:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960102#M440556 stephan.brunst 2019-03-11T23:21:58Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960103#M440557 <HTML><HEAD></HEAD><BODY><P>I have encountered a very similar problem.&nbsp; Some customers and partners require us to use a remote access VPN to support them.&nbsp; When the firewall was running 8.2(5) it worked fine.&nbsp; It now requires some annoying hacks to make it work on 8.4(3).&nbsp; My least favorite of these hacks is a 'magical' NAT that prevents inside hosts from stealing port 500.</P><P></P><P>Here is what I did and it seems to be working (but is definitely ugly):</P><P></P><PRE style="margin: 0px 0px 10px; padding: 5px; font-size: 14px; vertical-align: baseline; background-color: #eeeeee; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif; overflow: auto; max-height: 600px; color: #000000; line-height: 18px;"><CODE style="vertical-align: baseline; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, serif;">configure terminal object network VPN-endpoint &nbsp; description Prevent inside hosts from stealing VPN endpoint with PAT &nbsp; host 172.16.0.1 &nbsp; nat (any,outside) static interface service udp isakmp isakmp &nbsp; exit access-list ipsecpassthroughacl extended permit udp any any eq isakmp access-list ipsecpassthroughacl extended permit object-group TCPUDP any any eq 4500 class-map ipsecpassthru-traffic &nbsp; match access-list ipsecpassthroughacl &nbsp; exit policy-map type inspect ipsec-pass-thru iptmap &nbsp; parameters &nbsp;&nbsp; esp &nbsp;&nbsp; ah &nbsp;&nbsp; exit &nbsp; exit policy-map inspection_policy &nbsp; class ipsecpassthru-traffic &nbsp;&nbsp; inspect ipsec-pass-thru iptmap &nbsp;&nbsp; exit &nbsp; exit service-policy inspection_policy interface outside exit</CODE></PRE></BODY></HTML> Tue, 26 Jun 2012 12:04:23 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960103#M440557 AlainODea 2012-06-26T12:04:23Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960104#M440558 <HTML><HEAD></HEAD><BODY><P> Hi Alain,</P><P></P><P>thank you for the information.</P><P></P><P>I will try it next week.</P></BODY></HTML> Mon, 02 Jul 2012 13:57:20 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960104#M440558 stephan.brunst 2012-07-02T13:57:20Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960105#M440559 <HTML><HEAD></HEAD><BODY><P>Hello Stephan,</P><P></P><P>That is correct, there is a bug about what Alain just told you.</P><P></P><P>I have worked on this issues and the thing is that the ASA is unable to hold or safe those ports for the VPN connections ( he starts doing PAT on ports 500 and 4500).</P><P></P><P>There are some work-arounds like using TCP based ( 10000) but I have seen how it behaves the same way, so my recomendation would be to do an upgrade ASAP to make this work.</P><P></P><P>I will provide you the bug ID tomorrow morning .</P><P></P><P>Regards,</P><P></P><P>Do rate all the helpful posts</P><P></P><P>Julio</P></BODY></HTML> Tue, 03 Jul 2012 03:33:09 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960105#M440559 Julio Carvajal 2012-07-03T03:33:09Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960106#M440560 <HTML><HEAD></HEAD><BODY><P>Thank you Julio <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Is this issue fixed in 8.4(4.1)?</P><P></P><P>Thanks,</P><P>Alain</P></BODY></HTML> Wed, 04 Jul 2012 12:11:52 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960106#M440560 AlainODea 2012-07-04T12:11:52Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960107#M440561 <HTML><HEAD></HEAD><BODY><P>CSCtq32213&nbsp;&nbsp;&nbsp; VPN ports not removed from pat port pool when crypto map is applied.</P><P>The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying</P><P> to connect to his company vpn),</P><P>it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.</P><P> This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there. </P><P>This will limit users from connecting to our vpn where the gateway is our ASA's outside IP</P><P></P><P><STRONG style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: -webkit-auto; background-color: #ffffff;">Workaround:</STRONG></P><P><BR style="line-height: 12px; color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: -webkit-auto; background-color: #ffffff;" /></P><P><BR style="line-height: 12px; color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: -webkit-auto; background-color: #ffffff;" /></P><P>Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination </P><P> ' command from the configuration and reload the ASA.</P><P></P><P></P><P><STRONG style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-align: -webkit-auto; background-color: #eeeeee;">Fixed-In </STRONG><A href="http://tools.cisco.com/Support/BugToolKit/images/Field%20Definitions.html" style="color: #003399; font-size: 12px; font-family: Arial, Helvetica, sans-serif; text-align: -webkit-auto; background-color: #eeeeee;" target="_blank"><IMG alt="Fixed-in" border="0" height="14" id="Fixed_Image" name="Fixed_Image" src="http://tools.cisco.com/Support/BugToolKit/images/icon_info.gif" style="text-decoration: none;" width="13" /></A></P><P></P><P>8.4(4)</P></BODY></HTML> Wed, 04 Jul 2012 17:17:42 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960107#M440561 Julio Carvajal 2012-07-04T17:17:42Z https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960108#M440562 <HTML><HEAD></HEAD><BODY><P id="gt-res-content">Julio,</P><P></P><P>the update to version 8.4 (4.1) has fixed the problem.</P><P></P><P>Regards,</P><P>Stephan</P><DIV dir="ltr" style="zoom: 1;"><P></P></DIV></BODY></HTML> Thu, 23 Aug 2012 14:43:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-version-8-4-3-vpn-passthrough-problem-with-ncp-client/m-p/1960108#M440562 stephan.brunst 2012-08-23T14:43:46Z