Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Allow 3 users to use Cisco VPN client behind ASA to external source?

Andy White
Explorer
Explorer

‎11-26-2009 04:16 AM - edited ‎03-11-2019 09:43 AM

Hello,

I have a ASA 5520 (8.0.4) and need 3 internal users to be able to use their Cisco VPN clients to an external source.  It seems one can connect but the other 2 can't.

I created an access list that included their local IP's and opened ports TCP/10000, UDP/4500 and UDP/500.

We use 1 global IP for outbound connections, could this be a NAT issues as they all use the same external IP (outside of ASA)?

If so I think we have a spare couple external IP's.

Labels:
0 Helpful
6 REPLIES 6

Patrick0711
Participant
Participant

‎11-26-2009 06:57 AM

I see you opened UDP 500 and UDP 4500, however, did you enable NAT traversal on the firewall?  If you're using IPSEC over TCP, you'll need to specify that in the firewall running configuration as well:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

Are you saying only 1 user can connect at a time or only a single user is able to connect?

I've seen numerous occasions where multiple internal users are able to initiate a VPN connection from a single PAT IP so this should not be an issue.

0 Helpful

Andy White
Explorer
Explorer
In response to Patrick0711

‎11-26-2009 07:34 AM

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters section in the ASDM:

nat.JPG

0 Helpful

Andy White
Explorer
Explorer
In response to Patrick0711

‎11-26-2009 07:34 AM

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters  in the ASDM:

nat.JPG

0 Helpful

Kent Heide
Beginner
Beginner

‎11-26-2009 11:15 AM

AFAIK those are for the VPN's themselves and not for VPN's traversing firewall. Those features are what you would enable on the VPN server/hub. (Should be enabled regardless).

Have you opened up ESP/AH in your access-list ? You need it for phase2.

0 Helpful

Andy White
Explorer
Explorer
In response to Kent Heide

‎11-26-2009 01:55 PM

I've searched the ASA config and I can't find:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

I don't inderstand nat-traversal, but have just read http://en.wikipedia.org/wiki/NAT_traversal and it seems to me that I do need those commands added for these internal users to be able to use their VPN clients outbound.  Like most firewalls ours NAT (well PAT) outbound user traffic and it says NAT can break the "end to end" connectivity for IPSec VPN's as I suppose traffic on the way back to the outside of the ASA gets lost on where to find the inside host??

Somehow nat-traversal can help, but I don't have Encapsulating Security Payload (ESP) open, is this outbound? and what port number is this?

0 Helpful