nat traversal

donnie · ‎09-26-2008

Hi all. I have configured vpn for users to remote access to 2 offices. I realised that when i could not vpn into officeB from officeA and vise versa.However i could vpn into officeA and officeB from home. I then added crypto isakmp nat-traversal 20 to both my cisco5510 firewall in both offices. After that i could vpn from officeA to officeB and vise versa. I understand that by allowing nat-t it solves the conflict that nat has with ipsec. But i do not understand why it would work from my home without adding nat-t since my pc would be behind my home router and would be translated to a public ip.

singhsaju · ‎09-26-2008

what is the make and model of router at your home?

singhsaju · ‎09-26-2008

It is possible that Ipsec passthrough feature is enabled on your home router.

andrew.prince · ‎09-27-2008

The device that you connect thru at home has is vpn pass-thru compliant.

Alot of ADSL router vendors enable the device to understand NAT and IPSEC.

HTH>

donnie · ‎09-29-2008

Hi. Sorry for late reply. Yes my smc router comes with build in vpn pass thru feature. However my main office also using asa5510 could access all other offices, by using vpn and accessing the remote resource over vpn. The other offices have no problem connecting to one another via vpn but could not access the resource of the other end over vpn. Hence i believe that vpn pass thru is configured on my main office asa. Can anyone tell me which is the statement that enables vpn pass through as attached below?

interface Ethernet0/0

nameif outside

security-level 0

ip address 20.11x.x.x 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1x.x 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.2x.x 255.255.255.0

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit esp any any

access-list inside_access_in extended permit gre any any

access-list inside_access_in extended permit esp any any

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20_1

crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map_1 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map_1 60 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 80 match address outside_cryptomap_dyn_80

crypto dynamic-map outside_dyn_map_1 80 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 90 match address outside_cryptomap_dyn_90

crypto dynamic-map outside_dyn_map_1 90 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1

crypto map outside_map_1 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

singhsaju · ‎09-29-2008

Can you post configuration of nat(inside) and global (outside), fixup protocol etc also check if the ip address of the host(from where you do VPN) at your main office is not statically NAT'ed. Static NAT will not block ESP(VPN) , it is only PAT which blocks the ESP as esp protocol do not have a port.

HTH

Saju

Pls rate helpful posts

donnie · ‎09-29-2008

Hi Saju, I have posted the config u requested as below. Pls note that there is no fixup protocol configured. The below config shows that ip address of hosts are translated to a public ip available from a pool. Hence is this still consider PAT? Pls note 172.x.x.x are IPs given to remote host trying to vpn in my main office firewall. Thks in advance.

nat-control

global (outside) 1 20x.1x.x.x-20x.1x.x.x

global (outside) 1 20x.1x.x.x

global (dmz) 1 192.168.x.x

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (dmz) 1 0.0.0.0 0.0.0.0

access-list inside_outbound_nat0_acl extended permit ip interface inside 172.x.x.0 255.255.255.240

access-list inside_outbound_nat0_acl extended permit ip any 172.x.x.0 255.255.255.224

access-list dmz_outbound_nat0_acl extended permit ip any 172.19.0.0 255.255.0.0

singhsaju · ‎09-29-2008

global (outside) 1 20x.1x.x.x-20x.1x.x.x

The above statement means there is one to one translation until it gets exhausted and then it goes to PAT.

global (outside) 1 20x.1x.x.x

, and if the host from where vpn client is connected is Dynamically NAt'ed (one to one ip) , this will pass ESP protocol. So it gets although dynamically assigned ip from pool but it gets a dedicated ip on which it can send esp packets (encryption payload).

The tunnel is built through PAT but no traffic flows across because the Ipsec consists of two protcocols Isakmp and Esp. Isakmp is udp 500 hence can pass through PAT and is responsible for signalling , building of tunnel but it is ESP which actually carries data and is unable to passthrough PAT as it has no ports.

HTH

Saju