Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1019
Views
0
Helpful
3
Replies

VPN Anyconnect and DMPVN NAT(with IPSEC)

p0wershell
Level 1
Level 1

‎03-10-2020 10:50 PM

Hello all!

i have router behind cisco asa

 

router(local ip) -> cisco asa -> (external ip) router

 

need create DMVPN with ipsec (router --ipsec-- router)

 

1. on cisco asa configured cisco anyconnect ( ipsec disable only ssl and dtls )

 

frist try:

when create object network nat for 500\4500 port i get this error

ERROR: NAT unable to reserve ports.

second try:

create NAT rule for mapping all service from source router(external ip) to router(local interface) behind asa.

 

DMVPN up and work correctly, but when i touch ipsec profile to this tunnel, not work at all....

 

if remove anyconnect from cisco asa, and create for example object network nat for 500\4500 ports all work correctly

 

can any one help with that ?

 

P.S.

i have single ip for  cisco asa, can not bind to another.

i can't remove anyconnect from cisco asa

Labels:
0 Helpful
3 Replies 3

Cristian Matei
VIP Alumni
VIP Alumni

‎03-11-2020 03:48 PM

Hi,

 

  I'm not sure what your problem is, when you say: "DMVPN up and work correctly, but when i touch ipsec profile to this tunnel, not work at all....". Could you clarify?

 

Regards,

Cristian Matei.

0 Helpful

p0wershell
Level 1
Level 1
In response to Cristian Matei

‎03-12-2020 04:36 AM

remove anyconnect configuration

reconfigure settings for anyconnect but disable (IPSEC IKEv2)

after this i can apply object network nat for 500 and 4500 port, NAT-T working correctly and ipsec work normal behind cisco asa.

 

i dont know why disabled ipsec for anyconnect not work in first try...

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to p0wershell

‎03-12-2020 07:50 AM

Hi,

  

    If you translate UDP 500 and UDP 4500 for an inside host into the ASA's outside interface IP, it means that all UDP 500/4500 traffic coming  from the Internet and destined to the ASA IP address, will be Un-nated and sent further towards your inside hosts per your NAT translation. This means that the ASA can no longer use those ports for self-provided services on the outside interface, services like IPsec tunnels (like via AnyConnect), which require UDP 500 and optionally UDP 4500.

   A socket (ip-port mapping) can only belong to the ASA or the inside host, not to both at the same times as both are visible on the outside with the same IP address of the ASA.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents