03-10-2020 10:50 PM
Hello all!
i have router behind cisco asa
router(local ip) -> cisco asa -> (external ip) router
need create DMVPN with ipsec (router --ipsec-- router)
1. on cisco asa configured cisco anyconnect ( ipsec disable only ssl and dtls )
frist try:
when create object network nat for 500\4500 port i get this error
ERROR: NAT unable to reserve ports.
second try:
create NAT rule for mapping all service from source router(external ip) to router(local interface) behind asa.
DMVPN up and work correctly, but when i touch ipsec profile to this tunnel, not work at all....
if remove anyconnect from cisco asa, and create for example object network nat for 500\4500 ports all work correctly
can any one help with that ?
P.S.
i have single ip for cisco asa, can not bind to another.
i can't remove anyconnect from cisco asa
03-11-2020 03:48 PM
Hi,
I'm not sure what your problem is, when you say: "DMVPN up and work correctly, but when i touch ipsec profile to this tunnel, not work at all....". Could you clarify?
Regards,
Cristian Matei.
03-12-2020 04:36 AM
remove anyconnect configuration
reconfigure settings for anyconnect but disable (IPSEC IKEv2)
after this i can apply object network nat for 500 and 4500 port, NAT-T working correctly and ipsec work normal behind cisco asa.
i dont know why disabled ipsec for anyconnect not work in first try...
03-12-2020 07:50 AM
Hi,
If you translate UDP 500 and UDP 4500 for an inside host into the ASA's outside interface IP, it means that all UDP 500/4500 traffic coming from the Internet and destined to the ASA IP address, will be Un-nated and sent further towards your inside hosts per your NAT translation. This means that the ASA can no longer use those ports for self-provided services on the outside interface, services like IPsec tunnels (like via AnyConnect), which require UDP 500 and optionally UDP 4500.
A socket (ip-port mapping) can only belong to the ASA or the inside host, not to both at the same times as both are visible on the outside with the same IP address of the ASA.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide