cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3368
Views
0
Helpful
10
Replies

Issue on ASA5510 v8.0(4) with NAT-T

dnivelle
Level 1
Level 1

HI ,

I have an ASA5510 version 8.0.4.

I have configured 4 tunnels with 4 different customers with same ipsec configuration. I have activated NAT-T because i have a Cisco 1801 (between ASA and Internet) which is doing NAT .

I translate IP outside address of ASA on IP Public address of Cisco 1801 on port UDP 500 and UDP 4500.

For 2 customers , tunnels are working and i have trafic inside the tunnel and when i check the tunnel i have this :

show vpn-session l2l :

Connection   : xxxx

Index        : 90                     IP Addr      : xxxxxxxx

Protocol     : IKE IPsecOverNatT

Encryption   : AES256                 Hashing      : SHA1

Bytes Tx     : 1136                   Bytes Rx     : 1136

Login Time   : 09:25:08 CEDT Fri May 6 2011

Duration     : 0h:04m:17s

Butr for the 2 others , phase 1 and phase 2 seem established but there i no trafic in the tunnel and when i do the show vpn-sesssion l2l,  i don't have IKE IPsecOverNatT inprotocol but just IKE IPsec

Avec Fininfo:

Connection   : xxxxxxxxx

Index        : 91                     IP Addr      : xxxxxxx

Protocol     : IKE IPsec

Encryption   : AES256                 Hashing      : SHA1

Bytes Tx     : 120                    Bytes Rx     : 0

Login Time   : 09:29:08 CEDT Fri May 6 2011

Duration     : 0h:00m:17s

Do you have any idea waht an be the problem ?

Thanks

Dave

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Do you know that device your customer use to terminate the VPN tunnel?

The first 2 seems to support NAT-T, hence you are seeing IKEIPSecOverNatT.

The other 2 which is not working, may not support NAT-T, hence it's negotiating to default IKEIPSec.

If you can check what device they are terminating on, that would help. And also run debugs "debug cry isa" and "debug cry ipsec" to further troubleshoot the issue.

HI,

Thanks for your response Jennifer

I asked to the first customer what kind of IPsec concentratror he has :

Cisco VPN 3060  version 4.7.2.B

he told that Nat-T is activated and supported on its side, but that he didn't see any packets arriving on port UDP 4500

So i check the configuration of the NAT router (with overload) , which is :

ip nat inside source list 105 interface dialer0 overload

ip nat inside source static udp <@IP_Outside_ASA> 500 interface Dialer0 500

ip nat inside source static udp <@IP_Outside_ASA> 4500 interface Dialer0 4500

access-list 105 permit tcp host host eq 3101

access-list 105 deny tcp any any

Access-list 105 is used only from one inside host and for blackberry synchronisation.

Is the configuration correct on the nat router ?

The following 2 lines are the one used for NAT-T:

ip nat inside source static udp <@IP_Outside_ASA> 500 interface Dialer0 500

ip nat inside source static udp <@IP_Outside_ASA> 4500 interface Dialer0 4500

For VPN Concentrator, if he sends you a screenshot of the IPSec SA, that will tell you whether it is using NAT-T or not.

Is the VPN Concentrator the one working or not working?

Hi,

The VPN concentrator is the One which is not working . It will be difficult to have the configuration as it's not mine.

Summary :

2 which works :

ASA 5520 with 8.0.5

Netasq firewall/gateway

2 which don't work :

ASA 55xx with 8.3

VPN 3060 4.7.2.B

The 2 firsts (which works) have also a router which is doing nat on their side , which means that we pass through 2 nat devices.

For the others which don't work, there is only my nat device between the 2 VPN gateways. Do you know how ASA detects that there is nat device and it should use port 4500 ? Do we need a specific configuration on the nat device to help the 2 vpn gateways detecting NAt and use nat-t (udp 4500) ?

Because i did a nat debug detail on the nat router , and i saw that my ASA don't send any packets with port 4500 .... and the customer said we don't receive any packet on port 4500 (which it's true), so the problem is on your side .... Can't we force the ASA to use port 4500 ?

Thanks for your help.

IPSec VPN consisted of 2 phases:

IKE - phase 1 - UDP/500

IPSec - phase 2 - UDP/4500

There is nothing you would need to configure on the NAT router at all.

The VPN end points should be able to detect that it is passing through a NAT router, and should negotiate to use UDP/4500 for Phase 2 (normally by default phase 2 uses ESP protocol).

On ASA with version 8.3, please enable NAT-T:

crypto isakmp nat-traversal 30

On VPN Concentrator: there is an option to enable NAT-T as well.

If both ASA and VPN Concentrator have been enabled with NAT-T, then you might need to arrange time with each customer, and troubleshoot the issue with Cisco TAC engineer. It could possibly be a bug, however, further troubleshooting is required.

HI Jennifer,

I saw this also on Cisco site (http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/vpn_ike.html) :

The security appliance implementation of NAT-T supports IPsec peers behind a single NAT/PAT device as follows:

One LAN-to-LAN connection.

Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.


I don't understand what it means ? That we can initiate only one ipsec tunnel with Nat-T feature ?

Rgds

David.

Yes, you are right.

The document confirms that you can only have 1 LAN-to-LAN tunnel behind NAT device, or multiple remote access VPN behind NAT device.

You might want to terminate the VPN tunnels on the router instead of the ASA in this case, so you don't have to pass the VPN tunnels through any NAT device.

HI,

Could you pelase confirm that it still the case with new version ?

Because our customer has a Cisco ASA with version 8.3 and he has no problem of limitation with Nat-T feature

He has about 100 VPN connections

So i did the configuration on the Cisco router (Cisco 1801) , packets are encrypted but i receive no paquets :

interface: Dialer0
    Crypto map tag: L2L, local addr x.X.x.x

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (x.X.x.x/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (z.z.z.z/255.255.255.255/0/0)
   current_peer y.y.y.y port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: x.X.x.x, remote crypto endpt.: y.y.y.y

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

costmr73#show ver
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 12:24 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)

costmr73 uptime is 37 weeks, 2 days, 1 hour, 36 minutes
System returned to ROM by power-on
System restarted at 09:18:52 CEST Sun Sep 12 2010
System image file is "flash:c180x-advipservicesk9-mz.124-15.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1801 (MPC8500) processor (revision 0x400) with 236544K/25600K bytes of memory.
Processor board ID FHK1351782V, with hardware revision 0000

9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Thanks for your help

David

It is still the same with ASA version 8.3.x.

Your customer running ASA 8.3.x probably does not pass through a NAT device, that's why they can run multiple LAN-to-LAN VPN tunnels.

When you terminate the VPN on the router, please make sure that you have route on the router for those subnet behind the ASA pointing towards the ASA outside interface. Please also ensure that you configure NAt exemption on the router for traffic between local crypto subnet and remote crypto subnet.

Hi Jennifer,

Yes , there wre no packets from outside because of a filter on ESP ! Soafter correction it's working fine now and i find solution easier to implement on Cisco IOS than on ASA ...

Thanks for your help. Rgds.

David

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: