should I enable NAT traversal on the ASA box? or

should I enable this on Betty's router?

If the answer is the ASA box, why would the other 98 people in the company have no problems connecting?

Nat-t would be enabled on the ASA if it is not already. I was just taking a stab with the limited information I had. Usually, when users can connect but cannot access anything, this is almost always nat-t. As far as the other 98 users, I'm not sure, maybe they're not behind a nat device?

I haven't played in the ASAs yet. The client side router is just the Comcast device? Does the client side have a second internet router such a linksys, netgear, d-link? Linksys devices have a common IPSEC pass-through option. I would be concern about making changes at the host end since 98 connections are functioning just fine for you. When you moved the pc to the DMZ port what port forwarding options did you enable? Have you attempted to change your transport on the Client to UDP(This would require enabling UDP configurations on the ASA)? Also, it is important to provide the CIDR info on the IPs. What IP are you assigning the Client when it connects? I manage over 1000 sites and 1200 clients to a load-balanced VPN 3030 concentrator and swear I have seen everything. Most of the time the issues are on the client. If you can answer my questions then I might be able ask more question or even point to something of interest.

When I moved Betty's PC to her DMZ I didnt enable any ports, as this gave her PC her real Comcast IP, instead of a 192.168.0.x IP. ALL ports would be passing thru. And no, I havent enabled UDP on the ASA. I'm going now to look up CIDR and see what that is. I'll also try and figure out what IP I am assigning to the Client when it connects.

thanks

CIDR is the bit notation of a subnet mask(ie. 255.255.255.0 class C is equal to the bit 24). What private addresses are the other 98 users on? If the client is getting a public address in the DMZ then I am not sure that it would be an IP (TCP/UDP)issue. My involvement with ASAs is a 5505 at my desktop blocking me from my network. I beleive the other individual was right. Make sure NAT-T is enabled and open the firewall to allow IPSEC over TCP. It still doesn't explain why 98 other people are connecting.

Hi,

I've seen the same issues you have been talking about and it was related to the end users ISP. I mean that the ports that the information is coming back to the client are blocked on there end. Not on the users local desktop router but by the ISP as a whole. Do any of the other 100 vpn users have comcast as an ISP? Do you use Comcast?

Craig

I haven't played in the ASAs yet. The client side router is just the Comcast device? Does the client side have a second internet router such a linksys, netgear, d-link? Linksys devices have a common IPSEC pass-through option. I would be concern about making changes at the host end since 98 connections are functioning just fine for you. When you moved the pc to the DMZ port what port forwarding options did you enable? Have you attempted to change your transport on the Client to UDP(This would require enabling UDP configurations on the ASA)? Also, it is important to provide the CIDR info on the IPs. What IP are you assigning the Client when it connects? I manage over 1000 sites and 1200 clients to a load-balanced VPN 3030 concentrator and swear I have seen everything. Most of the time the issues are on the client. If you can answer my questions then I might be able ask more question or even point to something of interest.