Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
0
Helpful
6
Replies

Allow 3 users to use Cisco VPN client behind ASA to external source?

Andy White
Participant
Participant

‎11-26-2009 04:16 AM - edited ‎03-11-2019 09:43 AM

Hello,

I have a ASA 5520 (8.0.4) and need 3 internal users to be able to use their Cisco VPN clients to an external source.  It seems one can connect but the other 2 can't.

I created an access list that included their local IP's and opened ports TCP/10000, UDP/4500 and UDP/500.

We use 1 global IP for outbound connections, could this be a NAT issues as they all use the same external IP (outside of ASA)?

If so I think we have a spare couple external IP's.

Labels:
0 Helpful
6 Replies 6

Patrick0711
Participant
Participant

‎11-26-2009 06:57 AM

I see you opened UDP 500 and UDP 4500, however, did you enable NAT traversal on the firewall?  If you're using IPSEC over TCP, you'll need to specify that in the firewall running configuration as well:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

Are you saying only 1 user can connect at a time or only a single user is able to connect?

I've seen numerous occasions where multiple internal users are able to initiate a VPN connection from a single PAT IP so this should not be an issue.

0 Helpful

Andy White
Participant
Participant
In response to Patrick0711

‎11-26-2009 07:34 AM

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters section in the ASDM:

nat.JPG

0 Helpful

Andy White
Participant
Participant
In response to Patrick0711

‎11-26-2009 07:34 AM

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters  in the ASDM:

nat.JPG

0 Helpful

Kent Heide
Beginner
Beginner

‎11-26-2009 11:15 AM

AFAIK those are for the VPN's themselves and not for VPN's traversing firewall. Those features are what you would enable on the VPN server/hub. (Should be enabled regardless).

Have you opened up ESP/AH in your access-list ? You need it for phase2.

0 Helpful

Andy White
Participant
Participant
In response to Kent Heide

‎11-26-2009 01:55 PM

I've searched the ASA config and I can't find:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

I don't inderstand nat-traversal, but have just read http://en.wikipedia.org/wiki/NAT_traversal and it seems to me that I do need those commands added for these internal users to be able to use their VPN clients outbound.  Like most firewalls ours NAT (well PAT) outbound user traffic and it says NAT can break the "end to end" connectivity for IPSec VPN's as I suppose traffic on the way back to the outside of the ASA gets lost on where to find the inside host??

Somehow nat-traversal can help, but I don't have Encapsulating Security Payload (ESP) open, is this outbound? and what port number is this?

0 Helpful

Patrick0711
Participant
Participant
In response to Andy White

‎11-26-2009 02:00 PM

It's a good idea to have all of the following ports opened:

UDP 500 (ISAKMP)

IP Protocol 50 (ESP)

UDP 4500 (ESP NAT-T)

TCP 10000 (TCP over IPSEC)

NAT Traversal MUST be enabled since a traditional ESP packet cannot traverse a PAT environment since there's no UDP/TCP port number.  NAT-Traversal or TCP over IPSEC appends a TCP or UDP packet after the IP header and before the ESP header to allow the firewall to read the port number to successfully PAT the traffic outbound.

Don't bother opening AH...it's not necessary for a client VPN connection.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents