05-05-2011 06:02 AM - edited 02-21-2020 05:19 PM
Hello folks
This might be an odd question, but can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT.
I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (traffic source IP: 212.178.155.73)
ASA5505 ===>===>===> ESP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (Traffic source IP: 212.178.152.36 - when it should see 212.178.155.73)
The above is meant to show that I have an ASA5510 that is configured with an L2L tunnel with peer 212.178.155.73.
The ISP of 212.178.155.73 is somehow not doing its routing/translating correctly as the source IP of traffic originating from my ASA5505 is another than the one configured on the ASA5505. This is only the case when talking about ESP traffic. UDP (ISAKMP) traffic is correct.
The VPN tunnel is successfully established (both phase 1 and 2), but no traffic can traverse the tunnel. It has been working fine untill this morning.
Not long ago ISAKMP traffic was translated the same way as ESP traffic - it was working then, as long as the non-NAT'ed device initiated the tunnel.
I hope I have explained myself, so that you can understand it
Best regards
-- Jesper
05-05-2011 09:14 AM
Hello, Jesper!
Well, I can suggest you couple of solutions.
First You can install some other device in front of ASA5510 and set up NAT on it. In such a case you will forse both your ASA to use NAT-T.
I think it's not practical.
Second solution is as follows. In the old time of Altiga VPN-concentrator it was possible to use IPSec over TCP. Now ASA supports this mode as well. Please, look through following URL - http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/ike.html#wp1059912 and http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1017851
I hope this will help you.
With best regards
Maxim
05-05-2011 09:40 AM
05-06-2011 05:42 AM
Hello Maxim
Thank you for your reply. I've all set to try out your suggestion until I stumbled upon this in the documentation:
"It is a client to security appliance feature only. It does not work for LAN-to-LAN connections."
So unfortunately your suggestion is a no-go. :/
Best regards
Jesper Ross.
P.S. The ISP finally got their act together and fixed their routing, so that ISAKMP and ESP was sent using the same IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide