How to force ASA to use udp/4500 all the time?

Unanswered Question
Apr 26th, 2009

Hi all,

I just want to know how to force ASA use udp/4500 as a phase-II of IPSec VPN all the time. How to disable Automatic NAT Detection features?

Toshi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thotsaphon Mon, 04/27/2009 - 04:28

Jorge,

Thanks for for that. What happens when we do the following steps:

Step1. Clients configured to use transparent tunneling features(IPSec over UDP)

Step2. ASA has been configured a "crypto isakmp nat-traversal 20 " command.

Step3. There is no NAT device between clients and ASA.

Well, ASA will say that "Automatic NAT Detection Status: The remote end is behind a NAT device, This end is not behind a NAT device". Why?

I thought that would be

The remote end is behind a NAT device Because of Step 1.

This end is not behind a NAT device Because of the Automatic NAT detection features.

The result is "Clients can't connect and Phase-I won't complete".

When we changed the step3 to be as follows.

Step3. There is a NAT device between clients and ASA.

Everything will work as expected. UDP/500 and UDP/4500 will be used.

Have you ever seen this? However thanks for getting involved in this thread. 5P! anyway (grin)

Toshi

JORGE RODRIGUEZ Mon, 04/27/2009 - 12:58

ASA will say that "Automatic NAT Detection Status: The remote end is behind a NAT device, This end is not behind a NAT device". Why?

Hi Toshi,Im not sure I quite understand part of your steps, had to read it couple of times :)

The message is simply the result of nat-traversal featured of asa detecting NAT device, not nessesarily if client is not behind nat device there may be NAT device along the path auto detected by ASA NAT-T feature.

When we changed the step3 to be as follows.

Step3. There is a NAT device between clients and ASA.

Everything will work as expected. UDP/500 and UDP/4500 will be used.

This is what is expected, works becuase there must be NAT device along the PATH that you are not aware of, perhaps ISP NAT router.

Reagrds

thotsaphon Mon, 04/27/2009 - 18:43

Jorge,

What I'm concerned about is that the ASA will use "Automatic NAT Detection" features.

not nessesarily if client is not behind nat device there may be NAT device along the path auto detected by ASA NAT-T feature.

Sometime you are not behind the NAT device. You may think about you are natted(static) at the only one device then connect to the ASA(PUBLIC IP). This will be a problem if we configured the VPN profile at the client to use IPSec over UDP. Because ASA will generate that error. It will tell you are behind the NAT device. Actually you are not but VPN profile tries to tell that way.

The solution is that you have to disable transparent tunneling features on the VPN profile at the client. This will get rid of confusing things when automatic nat detection is checking the packets.

Toshi

Actions

This Discussion