cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2539
Views
0
Helpful
14
Replies

Easy VPN connection with remote side behind NAT device

nico
Level 1
Level 1

Hi,

I'm trying to build en Easy VPN connection between two ASA5505's. Initial configuration was simple and the tunnel is up. The problem is that I can't get any packets trough. A packet-trace in ASDM on the remote site reports IPSec spoof detected.

Any ideas?

14 Replies 14

andrew.prince
Level 10
Level 10

Can you post your configs for a review - remove sensitive information.

HTH>

Hi,

Here's the config of the clientside ASA. It connected to a LAN behind a NAT device.

I am having trouble getting my hands on the latest running config of the serverside. I will post it asap.

I am new to all this so I hope you can read the attached config.

Tanks in advance.

That config look sport on - if there is an issue it might be with the server end, below is a config example - check yours against it for anything that jumps out:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

HTH>

Hi,

I had already read that article. There are some differences between the config in the example and the serverside runningconfig. Unfortunately I cannot find the exact problem. I will post the serverside runningconfig tomorrow and would appriciate it if you would take a peek at it.

Tanks in advance...

sure no problem.

Hello,

As promised the serverside runningconfig.

Greetz...

try to issue the following comman

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

Thanks for your reply.

I changed the serverside config, but still can't ping to a machine behind the client ASA.

have u added RRI

reverse route injuction?

On the serverside I have added:

crypto dynamic-map outside_dyn_map 20 set reverse-route

Still no go...

I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?

if u case like

internet---nat device--ASA--internal

and the vpn on the ASA

u need first static nat or portforward from the nat device to the ASA

u need the folling ports opned and nated staticly

esp

udp 500

and mybe udp 4500

to get the tunnel established

if helpful Rate

Setup is like:

Lan1 --- ASA1 --- internet --- NAT_device --- ASA2 -- LAN2

Tunnel will be initiated from ASA2 to ASA1, shouldn't the nat device handle all natting dynamicaly?

Hi,

Can you enable NAT-T globally on both end ASAs and then check .

"isakmp nat-traversal 20 "

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899

When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.

HTH

Saju

Pls rate helpful posts