06-22-2012 12:57 AM - edited 03-11-2019 04:21 PM
Hello Support Community,
I have a problem with VPN Passthrough with a NCP Client and Cisco ASA 5520 Version 8.4(3)
A VPN IPSec Connection with a Cisco VPN Client through the Cisco ASA works fine.
The NCP Client establish a connection with Source and Destination UDP 4500 to the remote VPN Gateway and the connection setup is aborted.
If I establish a connection with a NCP Client on a Virtual Machine with NAT , the connection setup works fine.
A connection setup under VM in Bridge mode is also aborted.
The VPN Passthrough problem with the NCP Client started with the Update to version 8.4(3)
The connection worked very well until version 8.2(5).
Someone knows the problem?
Solved! Go to Solution.
07-04-2012 10:17 AM
CSCtq32213 VPN ports not removed from pat port pool when crypto map is applied.
The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying
to connect to his company vpn),
it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.
This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there.
This will limit users from connecting to our vpn where the gateway is our ASA's outside IP
Workaround:
Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination
' command from the configuration and reload the ASA.
8.4(4)
06-26-2012 05:04 AM
I have encountered a very similar problem. Some customers and partners require us to use a remote access VPN to support them. When the firewall was running 8.2(5) it worked fine. It now requires some annoying hacks to make it work on 8.4(3). My least favorite of these hacks is a 'magical' NAT that prevents inside hosts from stealing port 500.
Here is what I did and it seems to be working (but is definitely ugly):
configure terminal
object network VPN-endpoint
description Prevent inside hosts from stealing VPN endpoint with PAT
host 172.16.0.1
nat (any,outside) static interface service udp isakmp isakmp
exit
access-list ipsecpassthroughacl extended permit udp any any eq isakmp
access-list ipsecpassthroughacl extended permit object-group TCPUDP any any eq 4500
class-map ipsecpassthru-traffic
match access-list ipsecpassthroughacl
exit
policy-map type inspect ipsec-pass-thru iptmap
parameters
esp
ah
exit
exit
policy-map inspection_policy
class ipsecpassthru-traffic
inspect ipsec-pass-thru iptmap
exit
exit
service-policy inspection_policy interface outside
exit
07-02-2012 06:57 AM
Hi Alain,
thank you for the information.
I will try it next week.
07-02-2012 08:33 PM
Hello Stephan,
That is correct, there is a bug about what Alain just told you.
I have worked on this issues and the thing is that the ASA is unable to hold or safe those ports for the VPN connections ( he starts doing PAT on ports 500 and 4500).
There are some work-arounds like using TCP based ( 10000) but I have seen how it behaves the same way, so my recomendation would be to do an upgrade ASAP to make this work.
I will provide you the bug ID tomorrow morning .
Regards,
Do rate all the helpful posts
Julio
07-04-2012 05:11 AM
Thank you Julio
Is this issue fixed in 8.4(4.1)?
Thanks,
Alain
07-04-2012 10:17 AM
CSCtq32213 VPN ports not removed from pat port pool when crypto map is applied.
The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying
to connect to his company vpn),
it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.
This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there.
This will limit users from connecting to our vpn where the gateway is our ASA's outside IP
Workaround:
Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination
' command from the configuration and reload the ASA.
8.4(4)
08-23-2012 07:43 AM
Julio,
the update to version 8.4 (4.1) has fixed the problem.
Regards,
Stephan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide