cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2184
Views
0
Helpful
14
Replies

Easy VPN connection with remote side behind NAT device

nico
Level 1
Level 1

Hi,

I'm trying to build en Easy VPN connection between two ASA5505's. Initial configuration was simple and the tunnel is up. The problem is that I can't get any packets trough. A packet-trace in ASDM on the remote site reports IPSec spoof detected.

Any ideas?

14 Replies 14

andrew.prince
Level 10
Level 10

Can you post your configs for a review - remove sensitive information.

HTH>

Hi,

Here's the config of the clientside ASA. It connected to a LAN behind a NAT device.

I am having trouble getting my hands on the latest running config of the serverside. I will post it asap.

I am new to all this so I hope you can read the attached config.

Tanks in advance.

That config look sport on - if there is an issue it might be with the server end, below is a config example - check yours against it for anything that jumps out:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

HTH>

Hi,

I had already read that article. There are some differences between the config in the example and the serverside runningconfig. Unfortunately I cannot find the exact problem. I will post the serverside runningconfig tomorrow and would appriciate it if you would take a peek at it.

Tanks in advance...

sure no problem.

Hello,

As promised the serverside runningconfig.

Greetz...

try to issue the following comman

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

Thanks for your reply.

I changed the serverside config, but still can't ping to a machine behind the client ASA.

have u added RRI

reverse route injuction?

On the serverside I have added:

crypto dynamic-map outside_dyn_map 20 set reverse-route

Still no go...

I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?

if u case like

internet---nat device--ASA--internal

and the vpn on the ASA

u need first static nat or portforward from the nat device to the ASA

u need the folling ports opned and nated staticly

esp

udp 500

and mybe udp 4500

to get the tunnel established

if helpful Rate

Setup is like:

Lan1 --- ASA1 --- internet --- NAT_device --- ASA2 -- LAN2

Tunnel will be initiated from ASA2 to ASA1, shouldn't the nat device handle all natting dynamicaly?

Hi,

Can you enable NAT-T globally on both end ASAs and then check .

"isakmp nat-traversal 20 "

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899

When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.

HTH

Saju

Pls rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: