05-23-2007 06:07 PM - edited 02-21-2020 03:04 PM
I am having a Firewall VPN problem.
I have a ASA5500 firewall using PAT. I setup another firewall at a remote location. I configured the remote location for remote vpn. I can VPN into the remote location from anywhere but I have problems when accessing the VPn from inside my office.
I am behind a ASA5500 at the office. When I connect to the remote office via vpn, I am unable to connect to that internal network.
Though when I am somewhere else, outside of office firewall, I am able to connect fine so the config at the rmeote site is perfect.
I am guessing that there is a configuration problem on my office firewall that does not allow connectivity to the remote internal network.
Any ideas?
05-24-2007 08:40 AM
Does this exist in your office ASA?
crypto isakmp nat-traversal
05-24-2007 12:18 PM
I put this in but still cannot connect properly to the internal network.
05-24-2007 01:08 PM
When you are connected can you verify if it is in fact using NAT-T? UDP 4500
Can you post a cleaned up office ASA config?
05-24-2007 01:08 PM
nat-traversal would have to be enabled on the remote end, not the local end.
Any chance you could post your configs?
05-24-2007 02:07 PM
Are you just reading CCO documentation or have you actually done this in real life? I have had to add this to the firewall where the VPN client is initiating the connection from in order for NAT-T to work. Done it to many 501's, 515e's, and a pair of 525's running 6.3(5) code.
05-24-2007 02:15 PM
Are you serious? Anyway, even if that is the case it would be pointless to add it to the local firewall if he didn't have it enabled in the remote firewall, agreed? I may not be a CCIE but I do have real world experience. Everyone is here to help, hopefully without stepping on anyone's toes.
05-24-2007 02:20 PM
Hey as far as I can tell this is the 2nd time today you have posted a reply to mine as if my comment was incorrect so ????????? I'm here to help those who are seeking help not to put down other posters' comments.
Maybe you need to stop stepping on toes and only respond when you are 100% sure about your comment to someone else's.
05-24-2007 02:30 PM
I'm not putting down anyone's comments. I apologize if it seemed that way. A lot of times people on here skim through a lot of content. So if I see something which may be of value to the person who started the thread or someone else posting in the thread, I am motivated to add my comments. All with the goal in mind of helping someone solve a problem, not to make anyone look bad. Now I have learned something in this thread I didn't know, that is to look for nat-t being enabled on the local firewall, and I will use that knowledge in the future.
05-24-2007 02:18 PM
Also, cisconoobie's statement in his original post isn't necessarily true
"Though when I am somewhere else, outside of office firewall, I am able to connect fine so the config at the rmeote site is perfect."
If he was connecting from somewhere not using pat, and nat-t is not enabled on the firewall, then there is a problem with the config.
05-24-2007 02:24 PM
Never said it was :) Everyone's troubleshooting steps will be different soooo....
For this particular situation, I am troubleshooting inside outward. Nothing wrong with that is there?
05-24-2007 02:50 PM
Whoever.. it worked...you guys rock!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide