Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5238
Views
8
Helpful
6
Replies

Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP Client

Go to solution
stephan.brunst
Level 1
Level 1

‎06-22-2012 12:57 AM - edited ‎03-11-2019 04:21 PM

Hello Support Community,

I have a problem with VPN Passthrough with a NCP Client and Cisco ASA 5520 Version 8.4(3)

A VPN IPSec Connection with a Cisco VPN Client through the Cisco ASA works fine.

The NCP Client establish a connection with Source and Destination UDP 4500 to the remote VPN Gateway and the connection setup is aborted.

If I establish a connection with a NCP Client on a Virtual Machine with NAT , the connection setup works fine.

A connection setup under VM in Bridge mode is also aborted.

The VPN Passthrough problem with the NCP Client started with the Update to version 8.4(3)

The connection worked very well until version 8.2(5).

Someone knows the problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to AlainODea

‎07-04-2012 10:17 AM

CSCtq32213    VPN ports not removed from pat port pool when crypto map is applied.

The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying

to connect to his company vpn),

it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.

This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there.

This will limit users from connecting to our vpn where the gateway is our ASA's outside IP

Workaround:



Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination

' command from the configuration and reload the ASA.

Fixed-In Fixed-in

8.4(4)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
AlainODea
Level 1
Level 1

‎06-26-2012 05:04 AM

I have encountered a very similar problem.  Some customers and partners require us to use a remote access VPN to support them.  When the firewall was running 8.2(5) it worked fine.  It now requires some annoying hacks to make it work on 8.4(3).  My least favorite of these hacks is a 'magical' NAT that prevents inside hosts from stealing port 500.

Here is what I did and it seems to be working (but is definitely ugly):

configure terminal
 object network VPN-endpoint
  description Prevent inside hosts from stealing VPN endpoint with PAT
  host 172.16.0.1
  nat (any,outside) static interface service udp isakmp isakmp
  exit
 access-list ipsecpassthroughacl extended permit udp any any eq isakmp
 access-list ipsecpassthroughacl extended permit object-group TCPUDP any any eq 4500
 class-map ipsecpassthru-traffic
  match access-list ipsecpassthroughacl
  exit
 policy-map type inspect ipsec-pass-thru iptmap
  parameters
   esp
   ah
   exit
  exit
 policy-map inspection_policy
  class ipsecpassthru-traffic
   inspect ipsec-pass-thru iptmap
   exit
  exit
 service-policy inspection_policy interface outside
 exit
0 Helpful

Go to solution
stephan.brunst
Level 1
Level 1
In response to AlainODea

‎07-02-2012 06:57 AM

Hi Alain,

thank you for the information.

I will try it next week.

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to stephan.brunst

‎07-02-2012 08:33 PM

Hello Stephan,

That is correct, there is a bug about what Alain just told you.

I have worked on this issues and the thing is that the ASA is unable to hold or safe those ports for the VPN connections ( he starts doing PAT on ports 500 and 4500).

There are some work-arounds like using TCP based ( 10000) but I have seen how it behaves the same way, so my recomendation would be to do an upgrade ASAP to make this work.

I will provide you the bug ID tomorrow morning .

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
AlainODea
Level 1
Level 1
In response to Julio Carvajal

‎07-04-2012 05:11 AM

Thank you Julio

Is this issue fixed in 8.4(4.1)?

Thanks,

Alain

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to AlainODea

‎07-04-2012 10:17 AM

CSCtq32213    VPN ports not removed from pat port pool when crypto map is applied.

The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying

to connect to his company vpn),

it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.

This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there.

This will limit users from connecting to our vpn where the gateway is our ASA's outside IP

Workaround:



Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination

' command from the configuration and reload the ASA.

Fixed-In Fixed-in

8.4(4)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
stephan.brunst
Level 1
Level 1
In response to Julio Carvajal

‎08-23-2012 07:43 AM

Julio,

the update to version 8.4 (4.1) has fixed the problem.

Regards,

Stephan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card