VPN Passthrough and NAT-T with ASA 5510

brncopowor · ‎06-20-2007

Does anyone know if the new 8.0 release will support a many private addresses to one public address. We have had alot of problems with an older release not supporting this at all. We have clients where we are that access Win and Nortel VPN servers at their home sites. We need to be able to provide these services through the ASA using ports IP 50,51 and UDP 500. All we can have is one public address. Also is there any way to make the connections going through the ASA all look like they have different addresses. That my be impossible but once a GRE tunnel has been established with one of the users the Nortel for example will not let anymore connections connect coming from the same IP. Thanks

acomiskey · ‎06-20-2007

There is no problem providing these services through the ASA. Nat-t must be used by the devices on the remote end or you must not pat your clients on the inside of the ASA.

brncopowor · ‎06-20-2007

We have no control on the VPN server side of the house. Only with clients passing through. So are you saying that I should only use NAT and NAT w/ PAT. How would that work?

Thanks

acomiskey · ‎06-20-2007

It sounded like you were saying it was because of your ASA that clients cannot use nat-t outbound to their respective gateways. The fact is that the ASA has nothing to do with it. If nat-t is not supported on the remote end, there is nothing you can do in the ASA to make it work. The only option is to not nat the clients, which requires public ip addresses, or use one connection at a time.