11-26-2009 04:16 AM - edited 03-11-2019 09:43 AM
Hello,
I have a ASA 5520 (8.0.4) and need 3 internal users to be able to use their Cisco VPN clients to an external source. It seems one can connect but the other 2 can't.
I created an access list that included their local IP's and opened ports TCP/10000, UDP/4500 and UDP/500.
We use 1 global IP for outbound connections, could this be a NAT issues as they all use the same external IP (outside of ASA)?
If so I think we have a spare couple external IP's.
11-26-2009 06:57 AM
I see you opened UDP 500 and UDP 4500, however, did you enable NAT traversal on the firewall? If you're using IPSEC over TCP, you'll need to specify that in the firewall running configuration as well:
isakmp nat-traversal
isakmp ipsec-over-tcp port 10000
Are you saying only 1 user can connect at a time or only a single user is able to connect?
I've seen numerous occasions where multiple internal users are able to initiate a VPN connection from a single PAT IP so this should not be an issue.
11-26-2009 07:34 AM
Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters section in the ASDM:
11-26-2009 07:34 AM
Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters in the ASDM:
11-26-2009 11:15 AM
AFAIK those are for the VPN's themselves and not for VPN's traversing firewall. Those features are what you would enable on the VPN server/hub. (Should be enabled regardless).
Have you opened up ESP/AH in your access-list ? You need it for phase2.
11-26-2009 01:55 PM
I've searched the ASA config and I can't find:
isakmp nat-traversal
isakmp ipsec-over-tcp port 10000
I don't inderstand nat-traversal, but have just read http://en.wikipedia.org/wiki/NAT_traversal and it seems to me that I do need those commands added for these internal users to be able to use their VPN clients outbound. Like most firewalls ours NAT (well PAT) outbound user traffic and it says NAT can break the "end to end" connectivity for IPSec VPN's as I suppose traffic on the way back to the outside of the ASA gets lost on where to find the inside host??
Somehow nat-traversal can help, but I don't have Encapsulating Security Payload (ESP) open, is this outbound? and what port number is this?