08-13-2014 01:15 AM
Hi,
A remote access vpn is configured in ASA in one of my client network. The VPN is establishes when try to connect but could not access the servers inside the network. The issue only shows when we try to connect from my office network. If I connect from my home, no issues. There is one Cisco ASA is configured and placed in my office network. When I checked the log in the ASA I found the below log;
regular nat translation failed 50
Please advise me should I configure something in my office firewall to pass the VPN traffic.
Regards,
Ejaz
08-13-2014 03:17 AM
Ejaz,
can you try enabling NAT-T in your firewall?
Regards
Karthik
08-13-2014 04:24 AM
Hi karthikeyan,
Thank you for the reply.
Where should I enable the NAT-T, in firewall that configured with remote access VPN or in my office firewall?
Regards,
Ejaz
08-13-2014 04:31 AM
Hi Ejaz,
You can enable that in your office firewall.... since your firewall is doing NAT/PAT for you.... you should enable there..... also try to enable inspect ipsec-pass-thru.
Regards
Karthik
08-13-2014 10:29 PM
Hi karthik,
I have tried both NAT-T and Pass thru but still the issue persist.
Regards,
Ejaz
08-13-2014 10:43 PM
Hi,
Have you allowed UDP ports 500 , 4500 & ESP protocol in your firewall? probably in a bi-directional way.....
What kind of NAT/PAT you have used for VPN traffic in your office firewall?
Regards
Karthik
08-14-2014 09:34 PM
Hi karthik,
I have enabled the inspect ipsec-pass-thru by following commands;
hostname(config)#access-list test-udp-acl extended permit udp any any eq 500 hostname(config)#class-map test-udp-class hostname(config-cmap)#match access-list test-udp-acl hostname(config)#policy-map test-udp-policy hostname(config-pmap)#class test-udp-class hostname(config-pmap-c)#inspect ipsec-pass-thru hostname(config)#service-policy test-udp-policy interface outside
I have not allowed UDP ports 500 , 4500 & ESP protocol in my office firewall.
Please note that the VPN is configured in my Client's firewall not in my office firewall. I am trying to access the VPN from my office to the client location. :)
Regards,
Ejaz
08-15-2014 04:41 AM
Hi,
You could have added inspect in global service policy itself.... i knew that ejaz.... what i was trying to say is..... generally if you have dynamic pat @ pass through firewall.... it can take care of tcp/udp traffic, but for esp it will not do translation....
but you are saying you have not allowed 500/4500 UDP ports & UDP @ office firewall.... in general the vpn client will use these ports for establishing the communication.... if you have used TCP based ipsec, then you may need to allow tcp 10000(if it is cisco)....
can you allow those ports in office firewall and check....
source -- office LAN & Source ports --- any
destination -- vpn server & destination ports --- udp 500/4500 & esp (50)
so you have inspect and NAT-T enabled @ office firewall & you have have enabled NAT-T @ VPN firewall right?
Regards
Karthik
08-14-2014 10:17 PM
Hi Karthik,
I have allowed UDP ports 500 , 4500 & ESP protocol in my office firewall but it didn't work..
Regards,
Ejaz
08-15-2014 12:03 AM
So you are using a client VPN, its connects fine (i.e. you can ping etc) but you cant RDP? My bet would be MTU/Packet fragementation, I had a simiar problem, this is how I fixed it;
Cannot Remote Desktop over VPN connection
Pete
08-15-2014 02:06 AM
Hi Pete,
Yes Iam using client VPN. Not only RDP actually nothing passes through VPN tunnel.
Regards,
Ejaz
08-15-2014 03:50 AM
OK, as Karthik has pointed out the problem is 'probably' NAT related.
Cisco VPN Client Connects but no traffic will Pass
If thats not the case, then make sure the subnet that the remote VPN clients are using, is not getting 'routed' somewhere other than back out of the firewall.
Pete
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide