cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6879
Views
0
Helpful
11
Replies

VPN connected but not able take RDP through the tunnel

Ejaz Ahmed
Level 1
Level 1

Hi,

A remote access vpn is configured in ASA in one of my client network. The VPN is establishes when try to connect but could not access the servers inside the network. The issue only shows when we try to connect from my office network. If I connect from my home, no issues. There is one Cisco ASA is configured and placed in my office network. When I checked the log in the ASA I found the below log;

regular nat translation failed 50

Please advise me should I configure something in my office firewall to pass the VPN traffic.

 

Regards,

Ejaz

 

 

11 Replies 11

nkarthikeyan
Level 7
Level 7

Ejaz,

can you try enabling NAT-T in your firewall?

 

Regards

Karthik

Hi karthikeyan,

Thank you for the reply.

Where should I enable the NAT-T, in firewall that configured with remote access VPN or in my office firewall?

 

Regards,

Ejaz

Hi Ejaz,

You can enable that in your office firewall.... since your firewall is doing NAT/PAT for you.... you should enable there..... also try to enable inspect ipsec-pass-thru.

 

Regards

Karthik

Hi karthik,

I have tried both NAT-T and Pass thru but still the issue persist.

Regards,

Ejaz

Hi,

Have you allowed UDP ports 500 , 4500 & ESP protocol in your firewall? probably in a bi-directional way.....

What kind of NAT/PAT you have used for VPN traffic in your office firewall?

Regards

Karthik

Hi karthik,

 

I have enabled the inspect ipsec-pass-thru by following commands;

hostname(config)#access-list test-udp-acl extended permit udp any any eq 500
hostname(config)#class-map test-udp-class
hostname(config-cmap)#match access-list test-udp-acl
hostname(config)#policy-map test-udp-policy
hostname(config-pmap)#class test-udp-class
hostname(config-pmap-c)#inspect ipsec-pass-thru
hostname(config)#service-policy test-udp-policy interface outside

I have not allowed UDP ports 500 , 4500 & ESP protocol in my office firewall.

Please note that the VPN is configured in my Client's firewall not in my office firewall. I am trying to access the VPN from my office to the client location. :)

Regards,

Ejaz

Hi,

 

You could have added inspect in global service policy itself.... i knew that ejaz.... what i was trying to say is..... generally if you have dynamic pat @ pass through firewall.... it can take care of tcp/udp traffic, but for esp it will not do translation....

 

but you are saying you have not allowed 500/4500 UDP ports & UDP @ office firewall.... in general the vpn client will use these ports for establishing the communication.... if you have used TCP based ipsec, then you may need to allow tcp 10000(if it is cisco)....

 

can you allow those ports in office firewall and check....

source -- office LAN & Source ports --- any

destination -- vpn server & destination ports --- udp 500/4500 & esp (50)

 

so you have inspect and NAT-T enabled @ office firewall & you have have enabled NAT-T @ VPN firewall right?

Regards

Karthik

Hi Karthik,

I have allowed UDP ports 500 , 4500 & ESP protocol in my office firewall but it didn't work..

 

Regards,

Ejaz

Peter Long
Level 1
Level 1

So you are using a client VPN, its connects fine (i.e. you can ping etc) but you cant RDP? My bet would be MTU/Packet fragementation, I had a simiar problem, this is how I fixed it;

Cannot Remote Desktop over VPN connection

 

Pete

Hi Pete,

Yes Iam using client VPN. Not only RDP actually nothing passes through VPN tunnel.

Regards,

Ejaz

 

OK, as Karthik has pointed out the problem is 'probably' NAT related.

Cisco VPN Client Connects but no traffic will Pass

If thats not the case, then make sure the subnet that the remote VPN clients are using, is not getting 'routed' somewhere other than back out of the firewall.

Pete

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: