05-23-2011 08:01 AM
HI ,
I have an ASA5510 version 8.0.4.
I have configured 4 tunnels with 4 different customers with same ipsec configuration. I have activated NAT-T because i have a Cisco 1801 (between ASA and Internet) which is doing NAT .
I translate IP outside address of ASA on IP Public address of Cisco 1801 on port UDP 500 and UDP 4500.
For 2 customers , tunnels are working and i have trafic inside the tunnel and when i check the tunnel i have this :
show vpn-session l2l :
Connection : xxxx
Index : 90 IP Addr : xxxxxxxx
Protocol : IKE IPsecOverNatT
Encryption : AES256 Hashing : SHA1
Bytes Tx : 1136 Bytes Rx : 1136
Login Time : 09:25:08 CEDT Fri May 6 2011
Duration : 0h:04m:17s
Butr for the 2 others , phase 1 and phase 2 seem established but there i no trafic in the tunnel and when i do the show vpn-sesssion l2l, i don't have IKE IPsecOverNatT inprotocol but just IKE IPsec
Avec Fininfo:
Connection : xxxxxxxxx
Index : 91 IP Addr : xxxxxxx
Protocol : IKE IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 120 Bytes Rx : 0
Login Time : 09:29:08 CEDT Fri May 6 2011
Duration : 0h:00m:17s
Do you have any idea waht an be the problem ?
Thanks
Dave
05-23-2011 07:10 PM
Do you know that device your customer use to terminate the VPN tunnel?
The first 2 seems to support NAT-T, hence you are seeing IKEIPSecOverNatT.
The other 2 which is not working, may not support NAT-T, hence it's negotiating to default IKEIPSec.
If you can check what device they are terminating on, that would help. And also run debugs "debug cry isa" and "debug cry ipsec" to further troubleshoot the issue.
05-23-2011 11:51 PM
HI,
Thanks for your response Jennifer
I asked to the first customer what kind of IPsec concentratror he has :
Cisco VPN 3060 version 4.7.2.B
he told that Nat-T is activated and supported on its side, but that he didn't see any packets arriving on port UDP 4500
So i check the configuration of the NAT router (with overload) , which is :
ip nat inside source list 105 interface dialer0 overload
ip nat inside source static udp <@IP_Outside_ASA> 500 interface Dialer0 500
ip nat inside source static udp <@IP_Outside_ASA> 4500 interface Dialer0 4500
access-list 105 permit tcp host
access-list 105 deny tcp any any
Access-list 105 is used only from one inside host and for blackberry synchronisation.
Is the configuration correct on the nat router ?
05-24-2011 06:41 PM
The following 2 lines are the one used for NAT-T:
ip nat inside source static udp <@IP_Outside_ASA> 500 interface Dialer0 500
ip nat inside source static udp <@IP_Outside_ASA> 4500 interface Dialer0 4500
For VPN Concentrator, if he sends you a screenshot of the IPSec SA, that will tell you whether it is using NAT-T or not.
Is the VPN Concentrator the one working or not working?
05-25-2011 01:34 AM
Hi,
The VPN concentrator is the One which is not working . It will be difficult to have the configuration as it's not mine.
Summary :
2 which works :
ASA 5520 with 8.0.5
Netasq firewall/gateway
2 which don't work :
ASA 55xx with 8.3
VPN 3060 4.7.2.B
The 2 firsts (which works) have also a router which is doing nat on their side , which means that we pass through 2 nat devices.
For the others which don't work, there is only my nat device between the 2 VPN gateways. Do you know how ASA detects that there is nat device and it should use port 4500 ? Do we need a specific configuration on the nat device to help the 2 vpn gateways detecting NAt and use nat-t (udp 4500) ?
Because i did a nat debug detail on the nat router , and i saw that my ASA don't send any packets with port 4500 .... and the customer said we don't receive any packet on port 4500 (which it's true), so the problem is on your side .... Can't we force the ASA to use port 4500 ?
Thanks for your help.
05-25-2011 01:51 AM
IPSec VPN consisted of 2 phases:
IKE - phase 1 - UDP/500
IPSec - phase 2 - UDP/4500
There is nothing you would need to configure on the NAT router at all.
The VPN end points should be able to detect that it is passing through a NAT router, and should negotiate to use UDP/4500 for Phase 2 (normally by default phase 2 uses ESP protocol).
On ASA with version 8.3, please enable NAT-T:
crypto isakmp nat-traversal 30
On VPN Concentrator: there is an option to enable NAT-T as well.
If both ASA and VPN Concentrator have been enabled with NAT-T, then you might need to arrange time with each customer, and troubleshoot the issue with Cisco TAC engineer. It could possibly be a bug, however, further troubleshooting is required.
05-30-2011 08:03 AM
HI Jennifer,
I saw this also on Cisco site (http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/vpn_ike.html) :
The security appliance implementation of NAT-T supports IPsec peers behind a single NAT/PAT device as follows:
•One LAN-to-LAN connection.
•Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
I don't understand what it means ? That we can initiate only one ipsec tunnel with Nat-T feature ?
Rgds
David.
05-30-2011 05:33 PM
Yes, you are right.
The document confirms that you can only have 1 LAN-to-LAN tunnel behind NAT device, or multiple remote access VPN behind NAT device.
You might want to terminate the VPN tunnels on the router instead of the ASA in this case, so you don't have to pass the VPN tunnels through any NAT device.
05-31-2011 02:01 AM
HI,
Could you pelase confirm that it still the case with new version ?
Because our customer has a Cisco ASA with version 8.3 and he has no problem of limitation with Nat-T feature
He has about 100 VPN connections
So i did the configuration on the Cisco router (Cisco 1801) , packets are encrypted but i receive no paquets :
interface: Dialer0
Crypto map tag: L2L, local addr x.X.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (x.X.x.x/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (z.z.z.z/255.255.255.255/0/0)
current_peer y.y.y.y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: x.X.x.x, remote crypto endpt.: y.y.y.y
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
costmr73#show ver
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 12:24 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)
costmr73 uptime is 37 weeks, 2 days, 1 hour, 36 minutes
System returned to ROM by power-on
System restarted at 09:18:52 CEST Sun Sep 12 2010
System image file is "flash:c180x-advipservicesk9-mz.124-15.T10.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 1801 (MPC8500) processor (revision 0x400) with 236544K/25600K bytes of memory.
Processor board ID FHK1351782V, with hardware revision 0000
9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Thanks for your help
David
05-31-2011 02:45 AM
It is still the same with ASA version 8.3.x.
Your customer running ASA 8.3.x probably does not pass through a NAT device, that's why they can run multiple LAN-to-LAN VPN tunnels.
When you terminate the VPN on the router, please make sure that you have route on the router for those subnet behind the ASA pointing towards the ASA outside interface. Please also ensure that you configure NAt exemption on the router for traffic between local crypto subnet and remote crypto subnet.
06-02-2011 02:16 AM
Hi Jennifer,
Yes , there wre no packets from outside because of a filter on ESP ! Soafter correction it's working fine now and i find solution easier to implement on Cisco IOS than on ASA ...
Thanks for your help. Rgds.
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide