Hello,
I want to establish a VPN tunnel, our VPN GW is a Cisco ASA. The partner VPN is behind a firewall. It has an internal IP which is natet in a public IP.
I don't know why, but it doesn't work.
Is there a problem to establish a VPN connection with a GW which is behind a firewall and will be nated?
Logging with NAT-T:
Aug 2 15:55:23 [.2] Aug 02 2012 15:55:23 FIREWALL: %ASA-5-713041: IP = xx.xx.xx.xx, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer xx.xx.xx.xx local Proxy Address ....., remote Proxy Address ......, Crypto map (outside_map)
Aug 2 15:55:23 [.2] Aug 02 2012 15:55:23 FIREWALL: %ASA-6-302015: Built outbound UDP connection 338573913 for outside:xx.xx.xx.xx/500 (xx.xx.xx.xx/500) to identity:yy.yy.yy.yy/500 (yy.yy.yy.yy/500)
Aug 2 15:55:23 [2] Aug 02 2012 15:55:23 FIREWALL: %ASA-6-713172: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Aug 2 15:55:23 [.2] Aug 02 2012 15:55:23 FIREWALL: %ASA-6-302015: Built outbound UDP connection 338573917 for outside:xx.xx.xx.xx/4500 (xx.xx.xx.xx/4500) to identity:yy.yy.yy.yy/4500 (yy.yy.yy.yy/4500)
Aug 2 15:55:33 [.2] Aug 02 2012 15:55:33 FIREWALL: %ASA-5-713201: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 2 15:55:33 [.2] Aug 02 2012 15:55:33 FIREWALL: %ASA-6-713905: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, P1 Retransmit msg dispatched to MM FSM
Aug 2 15:55:43 [.2] Aug 02 2012 15:55:43 FIREWALL: %ASA-5-713201: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 2 15:55:43 [.2] Aug 02 2012 15:55:43 FIREWALL: %ASA-6-713905: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, P1 Retransmit msg dispatched to MM FSM
Aug 2 15:55:44 [.2] Aug 02 2012 15:55:44 FIREWALL: %ASA-5-713041: IP = xx.xx.xx.xx, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer xx.xx.xx.xx local Proxy Address .......remote Proxy Address .......Crypto map (outside_map)
Aug 2 15:55:44 [.2] Aug 02 2012 15:55:44 FIREWALL: %ASA-6-713172: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Aug 2 15:55:53 [.2] Aug 02 2012 15:55:53 FIREWALL: %ASA-4-713903: IP = xx.xx.xx.xx, Header invalid, missing SA payload! (next payload = 4)
Aug 2 15:55:53 [.2] Aug 02 2012 15:55:53 FIREWALL: %ASA-6-302015: Built outbound UDP connection 338574682 for outside:xx.xx.xx.xx/4500 (xx.xx.xx.xx/4500) to identity:yy.yy.yy.yy/500 (yy.yy.yy.yy/500)
Aug 2 15:55:54 [.2] Aug 02 2012 15:55:54 FIREWALL: %ASA-5-713201: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 2 15:55:54 [.2] Aug 02 2012 15:55:54 FIREWALL: %ASA-6-713905: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, P1 Retransmit msg dispatched to MM FSM
Aug 2 15:56:03 [.2] Aug 02 2012 15:56:03 FIREWALL: %ASA-4-713903: IP = xx.xx.xx.xx, Header invalid, missing SA payload! (next payload = 4)
Aug 2 15:56:04 [.2] Aug 02 2012 15:56:04 FIREWALL: %ASA-5-713201: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 2 15:56:04 [172.20.48.102.2.2] Aug 02 2012 15:56:04 FIREWALL: %ASA-6-713905: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, P1 Retransmit msg dispatched to MM FSM
Aug 2 15:56:14 [.2] Aug 02 2012 15:56:14 FIREWALL: %ASA-4-713903: IP = xx.xx.xx.xx, Header invalid, missing SA payload! (next payload = 4)
Aug 2 15:56:24 [.2] Aug 02 2012 15:56:24 FIREWALL: %ASA-4-713903: IP = xx.xx.xx.xx, Header invalid, missing SA payload! (next payload = 4)
Aug 2 15:57:44 [.2] Aug 02 2012 15:57:44 FIREWALL: %ASA-6-302016: Teardown UDP connection 338573913 for outside:xx.xx.xx.xx/500 to identity:yy.yy.yy.yy/500 duration 0:02:21 bytes 2384
Logging without NAT-T:
Aug 3 15:51:21 [.2] Aug 03 2012 15:51:21 FIREWALL: %ASA-5-713041: IP = xx.xx.xx.xx, IKE Initiator: New Phase 1, Intf DMZ, IKE Peer xx.xx.xx.xx local Proxy Address ....., remote Proxy Address ......, Crypto map (outside_map)
Aug 3 15:51:21 [.2] Aug 03 2012 15:51:21 FIREWALL: %ASA-6-302015: Built outbound UDP connection 341071944 for outside:xx.xx.xx.xx/500 (xx.xx.xx.xx/500) to identity:yy.yy.yy.yy/500 (yy.yy.yy.yy/500)
Aug 3 15:51:22 [.2] Aug 03 2012 15:51:22 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:23 [.2] Aug 03 2012 15:51:23 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:24 [.2] Aug 03 2012 15:51:24 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:25 [.2] Aug 03 2012 15:51:25 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:27 [.2] Aug 03 2012 15:51:26 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:27 [.2] Aug 03 2012 15:51:27 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:29 [.2] Aug 03 2012 15:51:28 FIREWALL: %ASA-6-713219: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 3 15:51:31 [.2] Aug 03 2012 15:51:31 FIREWALL: %ASA-5-713201: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 3 15:51:31 [.2] Aug 03 2012 15:51:31 FIREWALL: %ASA-6-713905: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, P1 Retransmit msg dispatched to MM FSM
Aug 3 15:51:41 [.2] Aug 03 2012 15:51:41 FIREWALL: %ASA-5-713201: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 1 packet detected. Retransmitting last packet.
Aug 3 15:51:41 [.2] Aug 03 2012 15:51:41 FIREWALL: %ASA-6-713905: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, P1 Retransmit msg dispatched to MM FSM
Aug 3 15:51:51 [.2] Aug 03 2012 15:51:51 FIREWALL: %ASA-4-713903: IP = xx.xx.xx.xx, Header invalid, missing SA payload! (next payload = 4)
Aug 3 15:52:01 [.2] Aug 03 2012 15:52:01 FIREWALL: %ASA-4-713903: IP = xx.xx.xx.xx, Header invalid, missing SA payload! (next payload = 4)
