cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2735
Views
0
Helpful
9
Replies

VPN behind NAT - How to?

Hi Experts,

I have to allow an user from the internal network behind an ASA 5520 to access an external VPN server.

I've tried to connect the external VPN server from an external IP of our network and the user can connect correct correctly.

When I try to connect trom the INSIDE network of my ASA 5520 to the external VPN server, I cannot connect at all. Note that the inside network works correctly for any other service, like surfing the internet and accessing external servers.

The settings are as follows:

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

ip address ************ ************

Can the problem be caused by the NAT? Do you know how I could solve this issue?

Thanks,

Dario

9 Replies 9

Punit Jethva
Level 1
Level 1

Hi,

try adding ipsec-pass-thru inspection under the global policy map

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

If this doesn't work make sure that NAT-T is enable on the VPN server


Hi Punit,

I've followed your suggestion but I have the following error:

Regular translation creation failed for protocol 47 src INTERNAL:192.168.100.1 dst OUTSIDE:***********

What can it be caused from?

Thanks,

Dario

What type of VPN are you using?

The error above shows that you are using GRE from the internal network, if so ensure that IP address is Statically NATed to the OUTSIDE interface IP. You should also permit GRE traffic from the VPN server

I've run the following commands without success:

access-list OUTSIDE_access_in extended permit gre any any

  static (INTERNAL,OUTSIDE) ***.***.***.*** ***.***.***.*** netmask 255.255.255.255

Can you please help me correct them?

thanks,

the OUTSIDE in the Static Nat ip should be the External IP (OUTSIDE) of your network. (My mistake it should not be the interface IP) e.g.

static (INTERNAL,OUTSIDE)

the Access-list is fine.

HI Punit,

Can we?

Thanks,

Dario

Hi,

From my understanding you need to have the static nat, as it's not possilbe to use the external IP address for a static NAT, because you might be using it for PATing your internal network.

jni
Level 1
Level 1

The problem isn't IPsec inspection or your NAT. The problem is the way PPTP communicates. Hence enable PPTP inspection. Don't enable GRE in your NAT ACL's.

Enter the following instead:

policy-map global_policy

class inspection_default

  inspect pptp

This super.

policy-map global_policy

class inspection_default

inspect pptp

This solve my problem OK. Thanks.