Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1406
Views
0
Helpful
1
Replies

ASA 5510 NAT-T connection problem

alankong_cisco
Level 1
Level 1

‎07-06-2011 01:53 AM - edited ‎02-21-2020 04:23 AM

Hi,

We have ASA 5510 running 8.3(2). There was no problem if one single NATed client made VPN connection to the ASA 5510. However, when there were more than one NATed clients made VPN connecttions, either the new client got no connection or the old connection got kicked out. Could this be a bug?

Thank you.

Regards

Alan

My Configruation:

: Saved

:

ASA Version 8.3(2)

!

hostname ciscoasa

domain-name x.x.x.x

enable password Q/xxwnwRB encrypted

passwd 2KxxKYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.203 255.255.252.0

!

! No Network Connection

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.3.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone HKST 8

dns server-group DefaultDNS

domain-name x.x.x.x

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

object network OBJ_SPECIFIC_10_4_5_0

subnet 10.4.5.0 255.255.255.0

object network vpn-nat

subnet 10.4.5.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpn_address 10.4.5.10-10.4.5.200

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

!

object network vpn-nat

nat (any,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 x.x.x.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn-aaa-gp protocol radius

reactivation-mode depletion deadtime 5

aaa-server vpn-aaa-gp (outside) host x.x.x.152

key *****

authentication-port 1812

accounting-port 1813

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP_AES_128_MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP_AES_128_MD5 mode transport

crypto ipsec transform-set ESP_AES_128_SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP_AES_128_SHA mode transport

crypto ipsec transform-set ESP_AES_192_MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP_AES_192_MD5 mode transport

crypto ipsec transform-set ESP_AES_256_MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP_AES_256_MD5 mode transport

crypto ipsec transform-set ESP_AES_256_SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP_AES_256_SHA mode transport

crypto ipsec transform-set ESP_AES_192_SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP_AES_192_SHA mode transport

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DL2TP_MAP 10 set transform-set ESP_AES_128_MD5 ESP_AES_128_SHA ESP_AES_256_MD5 ESP_AES_256_SHA TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 ESP_AES_192_MD5 ESP_AES_192_SHA

crypto dynamic-map DL2TP_MAP 10 set reverse-route

crypto map L2TP_MAP 200 ipsec-isakmp dynamic DL2TP_MAP

crypto map L2TP_MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 12

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 14

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 16

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 300

telnet timeout 5

ssh scopy enable

ssh x.x.33.6 255.255.255.255 outside

ssh timeout 5

console timeout 0

l2tp tunnel hello 100

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 137.189.11.63

webvpn

group-policy vpn_policy internal

group-policy vpn_policy attributes

dns-server value x.x.x.50 x.x.x.11

vpn-tunnel-protocol l2tp-ipsec

username admin password IpmYxxxxxUl encrypted

username gordon password XPxxxxxxMNn1 encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_address

authentication-server-group vpn-aaa-gp

authorization-server-group vpn-aaa-gp

accounting-server-group vpn-aaa-gp

default-group-policy vpn_policy

strip-group

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

no authentication chap

no authentication ms-chap-v1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b6560db8166e8c1ba9a61a243ec75fa3

: end

ciscoasa#

0 Helpful
1 Reply 1

Nicolas Fournier
Cisco Employee
Cisco Employee

‎07-09-2011 06:47 AM

Hi Alan,

You are correct, this is a bug I opened some time ago:

CSCtj03800 Second L2TP session disconnects first one if NATed to the same public IP.

You can have a look at it's description from the following link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj03800

As you can see there, it is fixed as from 8.3(2.8).

Regards,

Nicolas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card