cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1351
Views
0
Helpful
7
Replies

Remote access VPN with ASA not working when ASA is behind a NAT router

nedian123
Level 1
Level 1

Hi,

I can make a remote access vpn with ASA using its outside IP, every thing goes well. As soon as I add static NAT on the router for ASA's outside IP & try vpn with the global IP following error comes on the ASA whereas I can see the translation on the router(udp-500-inside global is traslated to udp-500-inside-local IP)

PC------Router--------ASA

NAT-T is enabled on the ASA.

Can anyone share their experiences when ASA is behind a NAT box & how ASA can recognize its identity inside IPSEC packets sent by the client.....

Regards,

Ak

7 Replies 7

andrew.prince
Level 10
Level 10

Is the router configured for firewalling?

Hi Andrew,

On behalf of my colleague I would like to inform you that Router is not configured for firewalling. IPSec traffic is directly coming to internet router and being forwarded to ASA.

Regards,

OK - for NAT-T to work effectivley, both ends need to negotiate it and support it, does the remote end of the VPN have NAT-T settigns?

On the other end , we are using Cisco VPN client and NAT-T is also configured there i.e IPSec over UDP ( NAT/PAT ) option.

Thanks

Ahh yes - sorry I missed that in the original post, can I ask you to post the output from the VPN client log?  Also the router debug output - removing any sensitive information of course.

According to the picture you have several retransmisions. When you use NAT-T the ASA will switch from using UDP 500 to UDP 4500 for the negotiation and to pass traffic.  Make sure that UDP 4500 is not getting blocked.

Cheers!

- Yamil

every thing is allowed both on the firewall & the router.  I think there is some identity issue bc router is changing dst ip in the IP header & the IPSEC header is having a public IP not belonging to ASA.....lets see if some one faces similar issues. I am planning to assign public IPs directly on the firewall to avoid problem caused by NAT......