VPN connected but not able take RDP through the tunnel

Ejaz Ahmed · ‎08-13-2014

Hi,

A remote access vpn is configured in ASA in one of my client network. The VPN is establishes when try to connect but could not access the servers inside the network. The issue only shows when we try to connect from my office network. If I connect from my home, no issues. There is one Cisco ASA is configured and placed in my office network. When I checked the log in the ASA I found the below log;

regular nat translation failed 50

Please advise me should I configure something in my office firewall to pass the VPN traffic.

Regards,

Ejaz

nkarthikeyan · ‎08-13-2014

Ejaz,

can you try enabling NAT-T in your firewall?

Regards

Karthik

Ejaz Ahmed · ‎08-13-2014

Hi karthikeyan,

Thank you for the reply.

Where should I enable the NAT-T, in firewall that configured with remote access VPN or in my office firewall?

Regards,

Ejaz

nkarthikeyan · ‎08-13-2014

Hi Ejaz,

You can enable that in your office firewall.... since your firewall is doing NAT/PAT for you.... you should enable there..... also try to enable inspect ipsec-pass-thru.

Regards

Karthik

Ejaz Ahmed · ‎08-13-2014

Hi karthik,

I have tried both NAT-T and Pass thru but still the issue persist.

Regards,

Ejaz

nkarthikeyan · ‎08-13-2014

Hi,

Have you allowed UDP ports 500 , 4500 & ESP protocol in your firewall? probably in a bi-directional way.....

What kind of NAT/PAT you have used for VPN traffic in your office firewall?

Regards

Karthik

Ejaz Ahmed · ‎08-14-2014

Hi karthik,

I have enabled the inspect ipsec-pass-thru by following commands;

hostname(config)#access-list test-udp-acl extended permit udp any any eq 500
hostname(config)#class-map test-udp-class
hostname(config-cmap)#match access-list test-udp-acl
hostname(config)#policy-map test-udp-policy
hostname(config-pmap)#class test-udp-class
hostname(config-pmap-c)#inspect ipsec-pass-thru
hostname(config)#service-policy test-udp-policy interface outside

I have not allowed UDP ports 500 , 4500 & ESP protocol in my office firewall.

Please note that the VPN is configured in my Client's firewall not in my office firewall. I am trying to access the VPN from my office to the client location. :)

Regards,

Ejaz

nkarthikeyan · ‎08-15-2014

Hi,

You could have added inspect in global service policy itself.... i knew that ejaz.... what i was trying to say is..... generally if you have dynamic pat @ pass through firewall.... it can take care of tcp/udp traffic, but for esp it will not do translation....

but you are saying you have not allowed 500/4500 UDP ports & UDP @ office firewall.... in general the vpn client will use these ports for establishing the communication.... if you have used TCP based ipsec, then you may need to allow tcp 10000(if it is cisco)....

can you allow those ports in office firewall and check....

source -- office LAN & Source ports --- any

destination -- vpn server & destination ports --- udp 500/4500 & esp (50)

so you have inspect and NAT-T enabled @ office firewall & you have have enabled NAT-T @ VPN firewall right?

Regards

Karthik

Ejaz Ahmed · ‎08-14-2014

Hi Karthik,

I have allowed UDP ports 500 , 4500 & ESP protocol in my office firewall but it didn't work..

Regards,

Ejaz

Peter Long · ‎08-15-2014

So you are using a client VPN, its connects fine (i.e. you can ping etc) but you cant RDP? My bet would be MTU/Packet fragementation, I had a simiar problem, this is how I fixed it;

Cannot Remote Desktop over VPN connection

Pete

Ejaz Ahmed · ‎08-15-2014

Hi Pete,

Yes Iam using client VPN. Not only RDP actually nothing passes through VPN tunnel.

Regards,

Ejaz

Peter Long · ‎08-15-2014

OK, as Karthik has pointed out the problem is 'probably' NAT related.

Cisco VPN Client Connects but no traffic will Pass

If thats not the case, then make sure the subnet that the remote VPN clients are using, is not getting 'routed' somewhere other than back out of the firewall.

Pete