A remote access vpn is configured in ASA in one of my client network. The VPN is establishes when try to connect but could not access the servers inside the network. The issue only shows when we try to connect from my office network. If I connect from my home, no issues. There is one Cisco ASA is configured and placed in my office network. When I checked the log in the ASA I found the below log;
regular nat translation failed 50
Please advise me should I configure something in my office firewall to pass the VPN traffic.
Thank you for the reply.
Where should I enable the NAT-T, in firewall that configured with remote access VPN or in my office firewall?
You can enable that in your office firewall.... since your firewall is doing NAT/PAT for you.... you should enable there..... also try to enable inspect ipsec-pass-thru.
Have you allowed UDP ports 500 , 4500 & ESP protocol in your firewall? probably in a bi-directional way.....
What kind of NAT/PAT you have used for VPN traffic in your office firewall?
I have enabled the inspect ipsec-pass-thru by following commands;
hostname(config)#access-list test-udp-acl extended permit udp any any eq 500 hostname(config)#class-map test-udp-class hostname(config-cmap)#match access-list test-udp-acl hostname(config)#policy-map test-udp-policy hostname(config-pmap)#class test-udp-class hostname(config-pmap-c)#inspect ipsec-pass-thru hostname(config)#service-policy test-udp-policy interface outside
I have not allowed UDP ports 500 , 4500 & ESP protocol in my office firewall.
Please note that the VPN is configured in my Client's firewall not in my office firewall. I am trying to access the VPN from my office to the client location. :)
You could have added inspect in global service policy itself.... i knew that ejaz.... what i was trying to say is..... generally if you have dynamic pat @ pass through firewall.... it can take care of tcp/udp traffic, but for esp it will not do translation....
but you are saying you have not allowed 500/4500 UDP ports & UDP @ office firewall.... in general the vpn client will use these ports for establishing the communication.... if you have used TCP based ipsec, then you may need to allow tcp 10000(if it is cisco)....
can you allow those ports in office firewall and check....
source -- office LAN & Source ports --- any
destination -- vpn server & destination ports --- udp 500/4500 & esp (50)
so you have inspect and NAT-T enabled @ office firewall & you have have enabled NAT-T @ VPN firewall right?
So you are using a client VPN, its connects fine (i.e. you can ping etc) but you cant RDP? My bet would be MTU/Packet fragementation, I had a simiar problem, this is how I fixed it;
OK, as Karthik has pointed out the problem is 'probably' NAT related.
If thats not the case, then make sure the subnet that the remote VPN clients are using, is not getting 'routed' somewhere other than back out of the firewall.