Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3293
Views
0
Helpful
3
Replies

Force the use of NAT-T on an IPSEC L2L tunnel

jesper_petersen
Level 1
Level 1

‎05-05-2011 06:02 AM - edited ‎02-21-2020 05:19 PM

Hello folks

This might be an odd question, but can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT.

I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.

I have a very strange issue where asynchronos routing is making my life as a technician very hard.

A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?

ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510

212.178.155.73                                                                 80.62.yyy.xxx (traffic source IP: 212.178.155.73)

ASA5505 ===>===>===> ESP traffic ===>===>===> ASA5510

212.178.155.73                                                           80.62.yyy.xxx (Traffic source IP: 212.178.152.36  - when it should see 212.178.155.73)

The above is meant to show that I have an ASA5510 that is configured with an L2L tunnel with peer 212.178.155.73.

The ISP of 212.178.155.73 is somehow not doing its routing/translating correctly as the source IP of traffic originating from my ASA5505 is another than the one configured on the ASA5505. This is only the case when talking about ESP traffic. UDP (ISAKMP) traffic is correct.

The VPN tunnel is successfully established (both phase 1 and 2), but no traffic can traverse the tunnel. It has been working fine untill this morning.

Not long ago ISAKMP traffic was translated the same way as ESP traffic - it was working then, as long as the non-NAT'ed device initiated the tunnel.

I hope I have explained myself, so that you can understand it

Best regards

-- Jesper

Labels:
0 Helpful
3 Replies 3

Maxim Zimovets
Level 1
Level 1

‎05-05-2011 09:14 AM

Hello, Jesper!

Well, I can suggest you couple of solutions.

First You can install some other device in front of  ASA5510 and set up NAT on it. In such a case you will forse both your ASA to use NAT-T.

I think it's not practical.

Second solution is as follows. In the old time of Altiga VPN-concentrator it was possible to use IPSec over TCP. Now ASA supports this mode as well. Please, look through following URL - http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/ike.html#wp1059912 and http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1017851

I hope this will help you.

With best regards

Maxim

0 Helpful

jesper_petersen
Level 1
Level 1
In response to Maxim Zimovets

‎05-06-2011 05:42 AM

Hello Maxim

Thank you for your reply. I've all set to try out your suggestion until I stumbled upon this in the documentation:

"It is a client to security appliance feature only. It does not work for LAN-to-LAN connections."

So unfortunately your suggestion is a no-go. :/

Best regards

Jesper Ross.

P.S. The ISP finally got their act together and fixed their routing, so that ISAKMP and ESP was sent using the same IP address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents