Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
0
Helpful
4
Replies

vpn client with no nat

deeburp987
Level 1
Level 1

‎01-27-2011 12:02 AM

i have a 5510 with a working VPN but discovered that anyone connecting from a public IP can connect to VPN but can't go anywhere.

so if i have say a linksys wifi on my cable modem and a private IP i can connect no problem. but if i'm on like a verizon data card which gives me a public IP i can connect to VPN but receive the below errors in my asa logs and can not reach anything on the network.

6    22:44:44        166.*.*.35    500    68.*.*.41    500    Built inbound UDP connection 390865 for Outside:166.*.*.35/500 (166.*.*.35/500) to identity:68.*.*.41/500 (68.*.*.41/500)

6  Group = RA-yo, IP = 166.*.*.35, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

i've attached my current asa config for reference. What do i need added to allow remote ends without a nat device to also work?

Labels:
79377-asaconfig.txt.zip
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎01-27-2011 05:36 AM

You might want to enable IPSEC over TCP and see if they are able to connect with TCP as the transport instead.

On the ASA: crypto isakmp ipsec-over-tcp port 10000

On the VPN Client: go to the Transport tab, and choose: IPSec over TCP, and TCP Port: 10000

Hope that helps.

0 Helpful

deeburp987
Level 1
Level 1
In response to Jennifer Halim

‎02-01-2011 09:56 AM

i completed the steps as you described which got me closer. I can now ping devices on the network and resolve dns. however RDP connections for example do not go through fully.

also can't access email over 443 note the below errors.

do i need to make any firewall changes or such?

6    Jan 30 2011    18:28:54        192.168.25.45    443    192.168.43.103    57604    Deny TCP (no connection) from 192.168.25.45/443 to 192.168.43.103/57604 flags ACK  on interface Outside

6    Jan 30 2011    18:28:58        192.168.25.45   443    192.168.43.103    57604    Deny TCP (no connection) from 192.168.25.45/443 to 192.168.43.103/57604 flags RST ACK  on interface Outside

thanks for the help

0 Helpful

hdashnau
Cisco Employee
Cisco Employee
In response to deeburp987

‎02-01-2011 11:22 AM

From the " Deny TCP (no connection)" message it looks like the initial three way handshake did not occur on this interface. Is there another route for your RDP server or email server that the client might be taking for the connection to get established? (take a look at your network connections for additional network interfaces and also take a look at the 'route PRINT' output of the connected client)

-heather

0 Helpful

deeburp987
Level 1
Level 1
In response to hdashnau

‎02-09-2011 06:53 PM

when i do this connection i have my ethernet unplugged, wifi disabled.

all i have is an at&t wireless connection which gives me an external non-nat IP.

as i mentioned i can ping and resolve dns while on the vpn.

if i try to connect on say webmail. which properly resolve the internal IP.

these happen in the logs within a second of each other

19:06:47
Built inbound TCP connection 873391 for Outside:192.168.43.103/49209 (192.168.43.103/49209) to Outside:192.168.25.45/443 (192.168.25.4/443) (vpnuser)

19:06:48
Teardown TCP connection 873344 for Outside:192.168.43.103/49202 to Outside:192.168.25.45/443 duration 0:00:38 bytes 6946 TCP Reset-O (vpnuser)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents