Client VPN through ASA

Unanswered Question
Aug 22nd, 2007

HI,

Does anyone know whats going on here? One of the clients on the network launches a cisco vpn client to an external resource and the client connects and is authenticated but no traffic passes.

PAT is in use on the outside interface.

I have enabled nat traversal and sysopt connection permit-ipsec.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Wed, 08/22/2007 - 07:06

Hi, it is not you but the owner of the remote vpn server that has to enable nat traversal as it is part of the IKE negotiation between the IPSec peers.

Regards,

/Mattias

kinskins01 Wed, 08/22/2007 - 07:38

HI thanks for the response.

I have recently replaced a Sonicwall with an ASA and the connection worked fine through the Sonicwall.

Any ideas?

mattiaseriksson Wed, 08/22/2007 - 07:50

If you only have one client on your LAN you can use IPSec passthrough which is not enabled by default.

In ASA I think the command is inspect ipsec-pass-thru.

A sonicwall has probably all features enabled by default, wouldn't suprise me.

kinskins01 Thu, 08/23/2007 - 00:46

HI,

When the vpn was established from the client I got the following warnings on the ASA:

regular translation creation failed for protocol 50 src inside:192.X.X.X. dst outside:159.X.X.X

Its related to PAT so I went and put in a static entry for the client so it nats out to its own Public IP and hey presto it worked.

Thanks for your help

anandramapathy Thu, 08/23/2007 - 05:12

Right -

This is usually set on the Remote server end.

The option - IKE over TCP & Port number is available in the client. there is a UDP option also for this.

The default port for cisco is 10000.

you can find this by inititing a session form the client & typing the following command

show conn local ( ip of the client )

it will show you the connections

Actions

This Discussion