cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
10
Replies

ASA5505 unable to VPN over a NAT'd address

chrisdavin
Level 1
Level 1

Hi

I am trying to migrate to a ASA5505 from our pix.

Most of our network uses PAT on our outside interface but I have a small pool of address which I NAT to on the inside, but when I do this they are unable to VPN out to remote sites.

This worked great on the Pix but not on the ASA. I can see port udp 500 coming back to the client but port udp 4500 disappears on its return journey between the two ASA interfaces.

Regards

Chris

10 Replies 10

Hi

This is not a connection to the ASA. But a connection through it whilst using a NAT'd IP.

I have assigned a NAT to a PC on the inside of the ASA but when the PC opens a cisco vpn client and tries to connect to a remote cisco firewall the user is unable to connect, but when he uses a PAT'd address it works fine.

Thanks

hello,

What is the IP of your PC accordingly your configuration file ?

regards

Hi

The PC is 10.2.200.80

The old Pix line used to be

static (inside,outside) 10.2.254.80 10.2.200.80 netmask 255.255.255.240

for sixteen addresses.

I have just got it to work by using the following two lines

global (outside) 2 10.2.254.80

nat (inside) 2 10.2.200.80 255.255.255.255

I can't believe the above (times sixteen) is the only way to get it working is 32 lines instead of just using 1 line.

Thanks

Your configuration (with global) is a dynamic NAT so it's unidirectional while static is bidirectional.

Did you change something in the client configuration ?

what are the client parameters ?

I meant that this NAT configuration could determine the behavior of the server side by usinf NAT-transversal or not

I have done the isakmp nat-traversal but did not make any difference.

The client is default; group name, password and IP

Hi Chris,

when you added this line to ASA it didn't work? 'static (inside,outside) 10.2.254.80 10.2.200.80 netmask 255.255.255.240 '

B.Regards.

Hi

It did work. I checked whatsmyip to confirm it was translating ok.

I can see udp 500 coming back to the client but udp 4500 only gets back as far as the outside interface but never exits the internal interface to reach the client.

So the NAT is definately working but it just does not pass back the udp 4500.

Review Cisco Networking for a $25 gift card