Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2731
Views
0
Helpful
9
Replies

VPN behind NAT - How to?

Dario Francesco Vanin
Level 1
Level 1

‎05-15-2012 08:13 PM

Hi Experts,

I have to allow an user from the internal network behind an ASA 5520 to access an external VPN server.

I've tried to connect the external VPN server from an external IP of our network and the user can connect correct correctly.

When I try to connect trom the INSIDE network of my ASA 5520 to the external VPN server, I cannot connect at all. Note that the inside network works correctly for any other service, like surfing the internet and accessing external servers.

The settings are as follows:

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

ip address ************ ************

Can the problem be caused by the NAT? Do you know how I could solve this issue?

Thanks,

Dario

Labels:
0 Helpful
9 Replies 9

Punit Jethva
Level 1
Level 1

‎05-15-2012 09:48 PM

Hi,

try adding ipsec-pass-thru inspection under the global policy map

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

If this doesn't work make sure that NAT-T is enable on the VPN server


0 Helpful

Dario Francesco Vanin
Level 1
Level 1
In response to Punit Jethva

‎05-15-2012 11:01 PM

Hi Punit,

I've followed your suggestion but I have the following error:

Regular translation creation failed for protocol 47 src INTERNAL:192.168.100.1 dst OUTSIDE:***********

What can it be caused from?

Thanks,

Dario

0 Helpful

Punit Jethva
Level 1
Level 1
In response to Dario Francesco Vanin

‎05-15-2012 11:46 PM

What type of VPN are you using?

The error above shows that you are using GRE from the internal network, if so ensure that IP address is Statically NATed to the OUTSIDE interface IP. You should also permit GRE traffic from the VPN server

0 Helpful

Dario Francesco Vanin
Level 1
Level 1
In response to Punit Jethva

‎05-16-2012 12:38 AM

I've run the following commands without success:

access-list OUTSIDE_access_in extended permit gre any any

  static (INTERNAL,OUTSIDE) ***.***.***.*** ***.***.***.*** netmask 255.255.255.255

Can you please help me correct them?

thanks,

0 Helpful

Punit Jethva
Level 1
Level 1
In response to Dario Francesco Vanin

‎05-16-2012 01:11 AM

the OUTSIDE in the Static Nat ip should be the External IP (OUTSIDE) of your network. (My mistake it should not be the interface IP) e.g.

static (INTERNAL,OUTSIDE)

the Access-list is fine.

0 Helpful

Dario Francesco Vanin
Level 1
Level 1
In response to Punit Jethva

‎05-22-2012 06:44 PM

HI Punit,

Can we?

Thanks,

Dario

0 Helpful

Punit Jethva
Level 1
Level 1
In response to Dario Francesco Vanin

‎05-22-2012 09:46 PM

Hi,

From my understanding you need to have the static nat, as it's not possilbe to use the external IP address for a static NAT, because you might be using it for PATing your internal network.

0 Helpful

jni
Level 1
Level 1

‎07-05-2012 03:01 AM

The problem isn't IPsec inspection or your NAT. The problem is the way PPTP communicates. Hence enable PPTP inspection. Don't enable GRE in your NAT ACL's.

Enter the following instead:

policy-map global_policy

class inspection_default

  inspect pptp

0 Helpful

akopriva
Level 1
Level 1
In response to jni

‎08-02-2013 06:34 AM

This super.

policy-map global_policy

class inspection_default

inspect pptp

This solve my problem OK. Thanks.

0 Helpful
Customers Also Viewed These Support Documents