Unable to send VPN traffic through the ASA

Answered Question
Jan 30th, 2007

Hi friends,

Just came across an issue with ASA 5540 and PIX 7.1.

There is a VPN client behind the ASA and the ASA is a PAT device. The ASA is just a pass-through device which needs to allow the vpn traffic through it connecting to a remote server.

I have enabled sysopt connection permit vpn, and i have also temporarily allowed all traffic (IP and ICMP) interfaces.

I was able to connect to the remote server through the Cisco VPN client and enter the user credentials. But beyond that, I was not able to do anything. This was happening even after I enabled NAT-T on the firewall (isakmp nat-traversal 20).

I was not able to ping to the remote server. But after I did a one-to-one static NAT for my machine, I was able to ping the server.

So, basically, PAT was the reason for which I was not able to connect, as static NAT resolved the issue. Cisco recommends one solution NAT-T and even that has been tried.

Do you have any suggestions on what else could be tried?

Looking forward to your help in this regard.

Thanks a lot

Gautam

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 7 months ago

No problem, how about a rating?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
acomiskey Tue, 01/30/2007 - 07:30

Which firewall did you enable nat-t on? Nat-t would have to be enabled on remote firewall.

gautamzone Tue, 01/30/2007 - 08:52

Hi,

Thanks a lot for your quick response.

I enabled nat-t on the firewall that is close to the VPN client.

Thanks a lot

Gautam

acomiskey Tue, 01/30/2007 - 09:55

So did you add it to the remote firewall and did it fix the problem?

Please rate if it helped.

gautamzone Tue, 01/30/2007 - 11:26

Well, nat-t was enabled on the firewall close to the Cisco VPN client. But i dont know about the firewall on the other end.

But one thing that I wanted to mention that when connecting through a dial up and bypassing the firewall, there were no connectivity issues. Which means that there is an issue with the firewall connected to the VPN client. And the configuration on the other end should be fine then. Right? Not too sure on that.

acomiskey Tue, 01/30/2007 - 11:34

Not necessarily, you are not PATing when you are dialing up, but I assume you are on the local firewall. If running PAT on local firewall, remote firewall will have to support nat-t. Do you have control over remote pix?

gautamzone Tue, 01/30/2007 - 21:19

No, I dont have control over remote PIX. But I can tell the admininstrator to enable NAT-T on his remote firewall.

Will get back to you on this.

Thanks a lot

Gautam

gautamzone Thu, 02/01/2007 - 11:10

Thanks a lot for your help. The issue was resolved after the remote firewall had NAT-T enabled.

Gautam

chdave Tue, 03/06/2007 - 14:30

I have the same issue. I'm trying to VPN out, behind ASA5510, to a client's VPN server . I can connected and get through the authentication but can't further connect to any other server.

I also try to VPN to another client with SonicWall VPN applicance and I can't even get connected.

I have no control to client's vpn server. Any other option that I can set on our ASA in order to allow local client VPN out to client's vpn server?

Everything works if I connect directly to a Dlink wireless router which is not behind our ASA.

BTW: I did have NAT-T enabled on our ASA.

Any comment would be appreciated. Thanks.

Kamal Malhotra Tue, 03/06/2007 - 15:47

Hi,

Having NAT-T enabled on our ASA would not help as it is not the device that VPN is terminating on. Make sure that it has UDP 500 and UDP 4500 allowed through it.

HTH,

Please rate if it helps.

Regards,

Kamal

chdave Thu, 03/08/2007 - 14:44

Hmm. I "think" I allow all outgoing traffic.. unless I don't know my ASA blocks those traffice by default.

I found this msg in asa log:

305006: regular translation creation failed for protocol 50 src DMZ:192.168.xxx.xxx dst EXT: 216.xxx.xxx.xxx

Checking for it but.. could someone help? Thanks.

kaachary Thu, 03/08/2007 - 15:38

ASA as such doesn't support IPSec passthrough, as "fixup protocol esp" command has been removed.

TO get this to work, you have to make sure the client supports NAT-T and is enabled on the it.

And the rmeote VPN server also supports NAT-T nad has it enabled.

The error message for ESP protocol you are getting is an indication that either the server or client do not support nat-t or its not enabled .

*Please rate if this helped.

-Kanishka

chdave Thu, 03/08/2007 - 17:57

I have just found another member say the followings.. what do u think? I haven't try it yet. What I don't understand is what action will ASA take when it inspect the IPSec /PPTP protocol? Any comment will be welcomed.

-----------------

7.0.5 supports multiple ipsec passthrough.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

----------------------------------

Here is what i am using to allow raw ipsec and PPTP passthrough.

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect pptp

inspect ipsec-pass-thru

!

service-policy global_policy global

Actions

This Discussion