Cisco VPN client with ASA behind Router

Unanswered Question
Mar 17th, 2009

Hi all,

here it's my scenario:

Cisco VPNClient--> INET --> Cisco 877 -->ASA 5520.

And I can't connect with the ASA.

I make a test with this scenario:

Cisco VPNClient-->ASA 5520. and the VPN works.

I think the problem it's on the router ¿what ports must I open ? (or what aditional config)

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
veljko.tasic Tue, 03/17/2009 - 11:49

Hi,

How is ASA nat-ed through router? How many public ip's do you have?

If there is only one public ip that you should do port mapping and map UDP ports 500 and 4500 from asa to public ip. If there are more then one public ip then you can do one to one nat and then it should work if there are no access-lists.

OK?

carlosjlopez Wed, 03/18/2009 - 02:36

Hi tasic,

I only have one public IP, and I map 500 and 4500 UDP ports to the ASA from router.

ip nat inside source static udp 1XX.XX.XX.1 500 interface ATM0.1 500

ip nat inside source static udp 1XX.XX.XX.1 4500 interface ATM0.1 4500

(where 1XX.XX.XX.1 is ASA IP)

but nothing happens it says:

Reason 412: The remote peer is no longer responding

veljko.tasic Wed, 03/18/2009 - 03:29

Do you have access-list on router outside interface?

You should add to asa

crypto isakmp nat-traversal 20

After that you should start troubleshooting to see what is happening. That is maximum from my side without configs.

carlosjlopez Tue, 03/24/2009 - 03:45

Hi again

I tried with crypto isakmp nat-traversal 20 but nothing happens, I think that my problem is in the router side.

here is my router config:

in my ATM:

ip nat inside

and my nat rules are:

ip nat inside source static udp X.X.20.1 500 interface ATM0.1 500

ip nat inside source static udp X.X.20.1 4500 interface ATM0.1 4500

ip nat inside source static udp X.X.20.1 10000 interface ATM0.1 10000

ip nat inside source static udp X.X.20.1 62515 interface ATM0.1 62515

ip nat inside source static tcp X.X.20.1 10000 interface ATM0.1 10000

ip nat inside source static esp X.X.20.1 interface ATM0.1

where X.X.20.1 is my ASA

or maybe my problem is in cisco VPN client configuration:

I selected in transport tab:

Enable Transparent tunneling and IPSEC over UDP

Actions

This Discussion