08-30-2007 05:59 AM - edited 02-21-2020 03:14 PM
Hi all, we have recently set up a remote access vpn using vpn client, this terminates on a asa5520, I am getting issues now where my clients connect fine to the vpn, and get a dhcp address etc, but then cant see anywhere inside my lan, it works fine from broadband etc at home, but I tried to access it via a vodaphone 3g card, and other users from other companies say they are now having this issue also, what could the problem be as routing surely is fine as they can get the vpn connected, please can anyone help ??
cheers
08-30-2007 06:08 AM
How about a config?
Make sure you have crypto isakmp nat-traversal.
08-30-2007 06:13 AM
what does that do??
I dont understand why it does not work for some people, as they do get connected and get an ip address from the device, I cannot get a config at the moment, has anyone had any similar probs like this ??
cheers
08-30-2007 06:16 AM
carl,
This allows people coming from behind nat devices to use nat-t udp 4500. Your symptoms are exactly what would occur if it was not enabled. The client will connect but not be able to pass traffic.
This command is disabled by default and is the #1 issue for remote access vpns.
08-30-2007 06:53 AM
thanks for that
Can you please explain what this exaclty does for the client end, and what does this command do ?
08-30-2007 06:59 AM
This allows vpn clients to have esp packets encapsulated in udp over port 4500. This is necessary for ipsec to pass through nat/pat devices.
Most likely, the clients you are not having problems with are not behind nat/pat devices.
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2068300
08-30-2007 07:06 AM
Is this all tunneled in port 80 ?
and how to I turn this command on via the ASDM manager ?
thanks for the prompt response
Carl
08-30-2007 07:15 AM
We're talking about ipsec vpn here right?
No, it is tunneled in udp port 4500.
Configuration -> VPN -> IKE -> Global Parameters -> Check box for "Enable IPSec over NAT-T"
08-30-2007 07:27 AM
but how is this so, I thought vpn is tunneled across the web using port 80, as my firewall only allows clients to go out on port 80, how will it let port 4500 out ?
please explain
cheers
08-30-2007 07:55 AM
I'm sorry I don't understand what you mean.
VPN clients accessing your firewall are connecting on udp 500 or 4500, not port 80.
You may be allowing internal clients out on port 80, this has nothing to do with vpn clients connecting to your firewall.
Please explain.
08-30-2007 08:00 AM
i always thought ipsec tunnels via port 80, so If I was behind a firewall internally, and wanted to allow vpn clients from inside to vpn out, would I need to allow them ports from inside to anywhere outside ?
cheers
08-30-2007 08:37 AM
carl,
You would need to allow them access to wherever they were attempting to vpn to.
I think we're getting off the subject a little. Did you try to enable nat-t in ASDM? Did it solve your problem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide