VPN Connection issue - maybe NAT problem

cisconoobie · ‎05-23-2007

I am having a Firewall VPN problem.

I have a ASA5500 firewall using PAT. I setup another firewall at a remote location. I configured the remote location for remote vpn. I can VPN into the remote location from anywhere but I have problems when accessing the VPn from inside my office.

I am behind a ASA5500 at the office. When I connect to the remote office via vpn, I am unable to connect to that internal network.

Though when I am somewhere else, outside of office firewall, I am able to connect fine so the config at the rmeote site is perfect.

I am guessing that there is a configuration problem on my office firewall that does not allow connectivity to the remote internal network.

Any ideas?

palomoj · ‎05-24-2007

Does this exist in your office ASA?

crypto isakmp nat-traversal

cisconoobie · ‎05-24-2007

I put this in but still cannot connect properly to the internal network.

palomoj · ‎05-24-2007

When you are connected can you verify if it is in fact using NAT-T? UDP 4500

Can you post a cleaned up office ASA config?

acomiskey · ‎05-24-2007

nat-traversal would have to be enabled on the remote end, not the local end.

Any chance you could post your configs?

palomoj · ‎05-24-2007

Are you just reading CCO documentation or have you actually done this in real life? I have had to add this to the firewall where the VPN client is initiating the connection from in order for NAT-T to work. Done it to many 501's, 515e's, and a pair of 525's running 6.3(5) code.

acomiskey · ‎05-24-2007

Are you serious? Anyway, even if that is the case it would be pointless to add it to the local firewall if he didn't have it enabled in the remote firewall, agreed? I may not be a CCIE but I do have real world experience. Everyone is here to help, hopefully without stepping on anyone's toes.

palomoj · ‎05-24-2007

Hey as far as I can tell this is the 2nd time today you have posted a reply to mine as if my comment was incorrect so ????????? I'm here to help those who are seeking help not to put down other posters' comments.

Maybe you need to stop stepping on toes and only respond when you are 100% sure about your comment to someone else's.

acomiskey · ‎05-24-2007

I'm not putting down anyone's comments. I apologize if it seemed that way. A lot of times people on here skim through a lot of content. So if I see something which may be of value to the person who started the thread or someone else posting in the thread, I am motivated to add my comments. All with the goal in mind of helping someone solve a problem, not to make anyone look bad. Now I have learned something in this thread I didn't know, that is to look for nat-t being enabled on the local firewall, and I will use that knowledge in the future.

acomiskey · ‎05-24-2007

Also, cisconoobie's statement in his original post isn't necessarily true

"Though when I am somewhere else, outside of office firewall, I am able to connect fine so the config at the rmeote site is perfect."

If he was connecting from somewhere not using pat, and nat-t is not enabled on the firewall, then there is a problem with the config.

palomoj · ‎05-24-2007

Never said it was :) Everyone's troubleshooting steps will be different soooo....

For this particular situation, I am troubleshooting inside outward. Nothing wrong with that is there?

cisconoobie · ‎05-24-2007

Whoever.. it worked...you guys rock!