Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1807
Views
0
Helpful
6
Replies

Allow 3 users to use Cisco VPN client behind ASA to external source?

Andy White
Level 3
Level 3

‎11-26-2009 04:16 AM - edited ‎03-11-2019 09:43 AM

Hello,

I have a ASA 5520 (8.0.4) and need 3 internal users to be able to use their Cisco VPN clients to an external source.  It seems one can connect but the other 2 can't.

I created an access list that included their local IP's and opened ports TCP/10000, UDP/4500 and UDP/500.

We use 1 global IP for outbound connections, could this be a NAT issues as they all use the same external IP (outside of ASA)?

If so I think we have a spare couple external IP's.

Labels:
0 Helpful
6 Replies 6

Patrick0711
Level 3
Level 3

‎11-26-2009 06:57 AM

I see you opened UDP 500 and UDP 4500, however, did you enable NAT traversal on the firewall?  If you're using IPSEC over TCP, you'll need to specify that in the firewall running configuration as well:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

Are you saying only 1 user can connect at a time or only a single user is able to connect?

I've seen numerous occasions where multiple internal users are able to initiate a VPN connection from a single PAT IP so this should not be an issue.

0 Helpful

Andy White
Level 3
Level 3
In response to Patrick0711

‎11-26-2009 07:34 AM

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters section in the ASDM:

nat.JPG

0 Helpful

Andy White
Level 3
Level 3
In response to Patrick0711

‎11-26-2009 07:34 AM

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters  in the ASDM:

nat.JPG

0 Helpful

Kent Heide
Level 1
Level 1

‎11-26-2009 11:15 AM

AFAIK those are for the VPN's themselves and not for VPN's traversing firewall. Those features are what you would enable on the VPN server/hub. (Should be enabled regardless).

Have you opened up ESP/AH in your access-list ? You need it for phase2.

0 Helpful

Andy White
Level 3
Level 3
In response to Kent Heide

‎11-26-2009 01:55 PM

I've searched the ASA config and I can't find:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

I don't inderstand nat-traversal, but have just read http://en.wikipedia.org/wiki/NAT_traversal and it seems to me that I do need those commands added for these internal users to be able to use their VPN clients outbound.  Like most firewalls ours NAT (well PAT) outbound user traffic and it says NAT can break the "end to end" connectivity for IPSec VPN's as I suppose traffic on the way back to the outside of the ASA gets lost on where to find the inside host??

Somehow nat-traversal can help, but I don't have Encapsulating Security Payload (ESP) open, is this outbound? and what port number is this?

0 Helpful

Patrick0711
Level 3
Level 3
In response to Andy White

‎11-26-2009 02:00 PM

It's a good idea to have all of the following ports opened:

UDP 500 (ISAKMP)

IP Protocol 50 (ESP)

UDP 4500 (ESP NAT-T)

TCP 10000 (TCP over IPSEC)

NAT Traversal MUST be enabled since a traditional ESP packet cannot traverse a PAT environment since there's no UDP/TCP port number.  NAT-Traversal or TCP over IPSEC appends a TCP or UDP packet after the IP header and before the ESP header to allow the firewall to read the port number to successfully PAT the traffic outbound.

Don't bother opening AH...it's not necessary for a client VPN connection.

0 Helpful
Review Cisco Networking for a $25 gift card
Top