09-26-2008 10:54 AM - edited 03-09-2019 09:34 PM
Hi all. I have configured vpn for users to remote access to 2 offices. I realised that when i could not vpn into officeB from officeA and vise versa.However i could vpn into officeA and officeB from home. I then added crypto isakmp nat-traversal 20 to both my cisco5510 firewall in both offices. After that i could vpn from officeA to officeB and vise versa. I understand that by allowing nat-t it solves the conflict that nat has with ipsec. But i do not understand why it would work from my home without adding nat-t since my pc would be behind my home router and would be translated to a public ip.
09-26-2008 11:12 AM
what is the make and model of router at your home?
09-26-2008 11:56 AM
It is possible that Ipsec passthrough feature is enabled on your home router.
09-27-2008 09:20 AM
The device that you connect thru at home has is vpn pass-thru compliant.
Alot of ADSL router vendors enable the device to understand NAT and IPSEC.
HTH>
09-29-2008 09:47 AM
Hi. Sorry for late reply. Yes my smc router comes with build in vpn pass thru feature. However my main office also using asa5510 could access all other offices, by using vpn and accessing the remote resource over vpn. The other offices have no problem connecting to one another via vpn but could not access the resource of the other end over vpn. Hence i believe that vpn pass thru is configured on my main office asa. Can anyone tell me which is the statement that enables vpn pass through as attached below?
interface Ethernet0/0
nameif outside
security-level 0
ip address 20.11x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1x.x 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.2x.x 255.255.255.0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit esp any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit esp any any
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20_1
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map_1 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map_1 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map_1 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 90 match address outside_cryptomap_dyn_90
crypto dynamic-map outside_dyn_map_1 90 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
09-29-2008 10:08 AM
Can you post configuration of nat(inside) and global (outside), fixup protocol etc also check if the ip address of the host(from where you do VPN) at your main office is not statically NAT'ed. Static NAT will not block ESP(VPN) , it is only PAT which blocks the ESP as esp protocol do not have a port.
HTH
Saju
Pls rate helpful posts
09-29-2008 10:18 AM
Hi Saju, I have posted the config u requested as below. Pls note that there is no fixup protocol configured. The below config shows that ip address of hosts are translated to a public ip available from a pool. Hence is this still consider PAT? Pls note 172.x.x.x are IPs given to remote host trying to vpn in my main office firewall. Thks in advance.
nat-control
global (outside) 1 20x.1x.x.x-20x.1x.x.x
global (outside) 1 20x.1x.x.x
global (dmz) 1 192.168.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list inside_outbound_nat0_acl extended permit ip interface inside 172.x.x.0 255.255.255.240
access-list inside_outbound_nat0_acl extended permit ip any 172.x.x.0 255.255.255.224
access-list dmz_outbound_nat0_acl extended permit ip any 172.19.0.0 255.255.0.0
09-29-2008 10:40 AM
global (outside) 1 20x.1x.x.x-20x.1x.x.x
The above statement means there is one to one translation until it gets exhausted and then it goes to PAT.
global (outside) 1 20x.1x.x.x
, and if the host from where vpn client is connected is Dynamically NAt'ed (one to one ip) , this will pass ESP protocol. So it gets although dynamically assigned ip from pool but it gets a dedicated ip on which it can send esp packets (encryption payload).
The tunnel is built through PAT but no traffic flows across because the Ipsec consists of two protcocols Isakmp and Esp. Isakmp is udp 500 hence can pass through PAT and is responsible for signalling , building of tunnel but it is ESP which actually carries data and is unable to passthrough PAT as it has no ports.
HTH
Saju
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide