Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10816
Views
0
Helpful
5
Replies

site to site VPN with one site behind a NAT device

tachyon05
Level 1
Level 1

‎08-17-2011 11:05 AM

I have about 25+ site to site VPNs where the network look like this:

branch office LAN 192.168.x.0/24

                          |

                          |

branch office router inside interface/addr 192.168.x.1

branch office router outside interface/addr 4.x.x.x (NAT with split tunnel VPN)

                          |

                          |

                INTERNET

                          |

                          |

Main Office ASA outside interface/addr 8.7.6.5

These VPNs work fine.  However, I am having issues getting the following setup to work.

branch office LAN 192.168.x.0/24

                     |

                     |

branch office router inside interface/addr 192.168.x.1

branch office router outside interface/addr 192.168.100.49 (NAT with split tunnel VPN)

                     |

                     |

ISP router inside inside interface/addr 192.168.100.1

ISP router inside outside interface/addr 4.x.x.x

                     |

                     |

            INTERNET

                     |

                     |

Main Office ASA outside interface/addr 8.7.6.5

Branch office router is configured to do NAT and split tunnel.

ISP router cannot be accessed.  ISP told us that they forward all traffic to the branch office router 192.168.100.49.  I assume the ISP router also does NAT.

I can access the branch router from the internet buy doing SSH to 4.x.x.x.

How should I configure this differently?

Labels:
0 Helpful
5 Replies 5

raga.fusionet
Level 4
Level 4

‎08-17-2011 12:02 PM

Hi There,

Basically your ISP would need to forward traffic for UDP 500 and ESP. With that you should be able to create the tunnel.

Now what issues are you facing? Also, what is result of "show cry isa sa" and "show cry ipsec sa" ?

Thanks,

Raga

0 Helpful

tachyon05
Level 1
Level 1

‎08-17-2011 01:56 PM

If I configure it the same way as the other 25+ sites, key applications don't work across the VPN.  For example, exchange/outlook and file server access.  Exchange and File Servers are at the main office and remote branch office clients access them through the VPN, but clients at this office cannot.  Outlook for example cannot connect to the server.  Outlook Web Access (OWA) cannot be accessed either.  Browser returns page not found or similar errors.

What is interesting is that both the ASA and branch router shows the tunnel is up.  Both shows Rx/Tx count is increasing across the tunnel.  I can also ping devices (including the servers) across the VPN.  Trace routes do complete and show traffic do go through the tunnel, and bypassing the NAT on the branch router.  If computers are taken to a different office, there is no issue (meaning the computers are all setup correctly).

show cry isa sa displays the following

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

8.7.6.5 192.168.100.49  QM_IDLE           1242 ACTIVE

This is different compared to other offices in 2 ways.  First, where it says 192.168.100.49, normally displays the public WAN IP address of the branch router.  Second, normally the ASA address is shown under Source and the branch router address is shown under DST.

ISP said that they forward everything to the gateway on the way out, and forward everything to the branch router on the way in.

I suspect I need to do something different on the branch router, but I am not sure what.

0 Helpful

raga.fusionet
Level 4
Level 4
In response to tachyon05

‎08-17-2011 02:39 PM

The fact that the tunnel is up and you can pass some traffic (ping, traceroute) means that as far the VPN config goes,  you are good. Perhaps you are having fragmentation issues, therefore TCP apps are failing.

Try reducing the TCP MSS and see if that helps:

sysopt connection tcpmss 1100

If that doesnt help, try using a "light" application thru the tunnel (such as telnet to something thru the tunnel) and see if that works. If that works then you might want to set up a capture and see if you get any retransmissions, packets out of order, etc.

The difference between src/dst on the show crypto isa sa depends on which side initiated the tunnel.

I hope this helps.

Raga

0 Helpful

tachyon05
Level 1
Level 1
In response to raga.fusionet

‎09-02-2011 12:47 PM

Thanks - that worked.

Another issue I discovered is that remote access VPN using cisco VPN client doesn't work anymore.  is there anything special i need to do (either on the router or the vpn client) now that the router is using a private address?

the output of show cry isa sa command says the state of the VPN is MM_NO_STATE when the vpn client clients, on the vpn client, it askes for the user id and password and then tries to connect, but cannot.

0 Helpful

raga.fusionet
Level 4
Level 4
In response to tachyon05

‎09-02-2011 01:48 PM

Without looking at the config it's kind of hard to tell, but given that your ASA is behind a NAT device I would advice you to check that you have NAT-T enabled:

crypto isakmp nat-traversal

0 Helpful
Customers Also Viewed These Support Documents