Re: Easy VPN connection with remote side behind NAT device

nico · ‎08-06-2008

Hi,

I'm trying to build en Easy VPN connection between two ASA5505's. Initial configuration was simple and the tunnel is up. The problem is that I can't get any packets trough. A packet-trace in ASDM on the remote site reports IPSec spoof detected.

Any ideas?

andrew.prince · ‎08-06-2008

Can you post your configs for a review - remove sensitive information.

HTH>

nico · ‎08-06-2008

Hi,

Here's the config of the clientside ASA. It connected to a LAN behind a NAT device.

I am having trouble getting my hands on the latest running config of the serverside. I will post it asap.

I am new to all this so I hope you can read the attached config.

Tanks in advance.

andrew.prince · ‎08-06-2008

That config look sport on - if there is an issue it might be with the server end, below is a config example - check yours against it for anything that jumps out:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

HTH>

nico · ‎08-06-2008

Hi,

I had already read that article. There are some differences between the config in the example and the serverside runningconfig. Unfortunately I cannot find the exact problem. I will post the serverside runningconfig tomorrow and would appriciate it if you would take a peek at it.

Tanks in advance...

andrew.prince · ‎08-06-2008

sure no problem.

nico · ‎08-07-2008

Hello,

As promised the serverside runningconfig.

Greetz...

Marwan ALshawi · ‎08-07-2008

try to issue the following comman

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

nico · ‎08-07-2008

Thanks for your reply.

I changed the serverside config, but still can't ping to a machine behind the client ASA.

Marwan ALshawi · ‎08-07-2008

have u added RRI

reverse route injuction?

nico · ‎08-07-2008

On the serverside I have added:

crypto dynamic-map outside_dyn_map 20 set reverse-route

Still no go...

shanevolpe · ‎10-02-2008

I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?

Marwan ALshawi · ‎10-02-2008

if u case like

internet---nat device--ASA--internal

and the vpn on the ASA

u need first static nat or portforward from the nat device to the ASA

u need the folling ports opned and nated staticly

esp

udp 500

and mybe udp 4500

to get the tunnel established

if helpful Rate

nico · ‎10-02-2008

Setup is like:

Lan1 --- ASA1 --- internet --- NAT_device --- ASA2 -- LAN2

Tunnel will be initiated from ASA2 to ASA1, shouldn't the nat device handle all natting dynamicaly?

singhsaju · ‎10-03-2008

Hi,

Can you enable NAT-T globally on both end ASAs and then check .

"isakmp nat-traversal 20 "

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899

When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.

HTH

Saju

Pls rate helpful posts