Hi,

Thanks a lot for your quick response.

I enabled nat-t on the firewall that is close to the VPN client.

Thanks a lot

Gautam

So did you add it to the remote firewall and did it fix the problem?

Please rate if it helped.

Well, nat-t was enabled on the firewall close to the Cisco VPN client. But i dont know about the firewall on the other end.

But one thing that I wanted to mention that when connecting through a dial up and bypassing the firewall, there were no connectivity issues. Which means that there is an issue with the firewall connected to the VPN client. And the configuration on the other end should be fine then. Right? Not too sure on that.

Not necessarily, you are not PATing when you are dialing up, but I assume you are on the local firewall. If running PAT on local firewall, remote firewall will have to support nat-t. Do you have control over remote pix?

No, I dont have control over remote PIX. But I can tell the admininstrator to enable NAT-T on his remote firewall.

Will get back to you on this.

Thanks a lot

Gautam

Thanks a lot for your help. The issue was resolved after the remote firewall had NAT-T enabled.

Gautam

I have the same issue. I'm trying to VPN out, behind ASA5510, to a client's VPN server . I can connected and get through the authentication but can't further connect to any other server.

I also try to VPN to another client with SonicWall VPN applicance and I can't even get connected.

I have no control to client's vpn server. Any other option that I can set on our ASA in order to allow local client VPN out to client's vpn server?

Everything works if I connect directly to a Dlink wireless router which is not behind our ASA.

BTW: I did have NAT-T enabled on our ASA.

Any comment would be appreciated. Thanks.

Hi,

Having NAT-T enabled on our ASA would not help as it is not the device that VPN is terminating on. Make sure that it has UDP 500 and UDP 4500 allowed through it.

HTH,

Please rate if it helps.

Regards,

Kamal

Hmm. I "think" I allow all outgoing traffic.. unless I don't know my ASA blocks those traffice by default.

I found this msg in asa log:

305006: regular translation creation failed for protocol 50 src DMZ:192.168.xxx.xxx dst EXT: 216.xxx.xxx.xxx

Checking for it but.. could someone help? Thanks.

ASA as such doesn't support IPSec passthrough, as "fixup protocol esp" command has been removed.

TO get this to work, you have to make sure the client supports NAT-T and is enabled on the it.

And the rmeote VPN server also supports NAT-T nad has it enabled.

The error message for ESP protocol you are getting is an indication that either the server or client do not support nat-t or its not enabled .

*Please rate if this helped.

-Kanishka

I have just found another member say the followings.. what do u think? I haven't try it yet. What I don't understand is what action will ASA take when it inspect the IPSec /PPTP protocol? Any comment will be welcomed.

-----------------

7.0.5 supports multiple ipsec passthrough.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

----------------------------------

Here is what i am using to allow raw ipsec and PPTP passthrough.

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect pptp

inspect ipsec-pass-thru

!

service-policy global_policy global