01-30-2007 07:27 AM - edited 03-11-2019 02:26 AM
Hi friends,
Just came across an issue with ASA 5540 and PIX 7.1.
There is a VPN client behind the ASA and the ASA is a PAT device. The ASA is just a pass-through device which needs to allow the vpn traffic through it connecting to a remote server.
I have enabled sysopt connection permit vpn, and i have also temporarily allowed all traffic (IP and ICMP) interfaces.
I was able to connect to the remote server through the Cisco VPN client and enter the user credentials. But beyond that, I was not able to do anything. This was happening even after I enabled NAT-T on the firewall (isakmp nat-traversal 20).
I was not able to ping to the remote server. But after I did a one-to-one static NAT for my machine, I was able to ping the server.
So, basically, PAT was the reason for which I was not able to connect, as static NAT resolved the issue. Cisco recommends one solution NAT-T and even that has been tried.
Do you have any suggestions on what else could be tried?
Looking forward to your help in this regard.
Thanks a lot
Gautam
Solved! Go to Solution.
02-01-2007 11:55 AM
No problem, how about a rating?
01-30-2007 07:30 AM
Which firewall did you enable nat-t on? Nat-t would have to be enabled on remote firewall.
01-30-2007 08:52 AM
Hi,
Thanks a lot for your quick response.
I enabled nat-t on the firewall that is close to the VPN client.
Thanks a lot
Gautam
01-30-2007 09:55 AM
So did you add it to the remote firewall and did it fix the problem?
Please rate if it helped.
01-30-2007 11:26 AM
Well, nat-t was enabled on the firewall close to the Cisco VPN client. But i dont know about the firewall on the other end.
But one thing that I wanted to mention that when connecting through a dial up and bypassing the firewall, there were no connectivity issues. Which means that there is an issue with the firewall connected to the VPN client. And the configuration on the other end should be fine then. Right? Not too sure on that.
01-30-2007 11:34 AM
Not necessarily, you are not PATing when you are dialing up, but I assume you are on the local firewall. If running PAT on local firewall, remote firewall will have to support nat-t. Do you have control over remote pix?
01-30-2007 09:19 PM
No, I dont have control over remote PIX. But I can tell the admininstrator to enable NAT-T on his remote firewall.
Will get back to you on this.
Thanks a lot
Gautam
02-01-2007 11:10 AM
Thanks a lot for your help. The issue was resolved after the remote firewall had NAT-T enabled.
Gautam
02-01-2007 11:55 AM
No problem, how about a rating?
03-06-2007 02:30 PM
I have the same issue. I'm trying to VPN out, behind ASA5510, to a client's VPN server . I can connected and get through the authentication but can't further connect to any other server.
I also try to VPN to another client with SonicWall VPN applicance and I can't even get connected.
I have no control to client's vpn server. Any other option that I can set on our ASA in order to allow local client VPN out to client's vpn server?
Everything works if I connect directly to a Dlink wireless router which is not behind our ASA.
BTW: I did have NAT-T enabled on our ASA.
Any comment would be appreciated. Thanks.
03-06-2007 03:47 PM
Hi,
Having NAT-T enabled on our ASA would not help as it is not the device that VPN is terminating on. Make sure that it has UDP 500 and UDP 4500 allowed through it.
HTH,
Please rate if it helps.
Regards,
Kamal
03-08-2007 02:44 PM
Hmm. I "think" I allow all outgoing traffic.. unless I don't know my ASA blocks those traffice by default.
I found this msg in asa log:
305006: regular translation creation failed for protocol 50 src DMZ:192.168.xxx.xxx dst EXT: 216.xxx.xxx.xxx
Checking for it but.. could someone help? Thanks.
03-08-2007 03:38 PM
ASA as such doesn't support IPSec passthrough, as "fixup protocol esp" command has been removed.
TO get this to work, you have to make sure the client supports NAT-T and is enabled on the it.
And the rmeote VPN server also supports NAT-T nad has it enabled.
The error message for ESP protocol you are getting is an indication that either the server or client do not support nat-t or its not enabled .
*Please rate if this helped.
-Kanishka
03-08-2007 05:57 PM
I have just found another member say the followings.. what do u think? I haven't try it yet. What I don't understand is what action will ASA take when it inspect the IPSec /PPTP protocol? Any comment will be welcomed.
-----------------
7.0.5 supports multiple ipsec passthrough.
Enhanced IPSEC Inspection
The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.
A new policy-map command inspect ipsec-pass-thru is added to enable this feature.
----------------------------------
Here is what i am using to allow raw ipsec and PPTP passthrough.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ipsec-pass-thru
!
service-policy global_policy global
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide