04-26-2009 05:36 AM - edited 03-11-2019 08:23 AM
Hi all,
I just want to know how to force ASA use udp/4500 as a phase-II of IPSec VPN all the time. How to disable Automatic NAT Detection features?
Toshi
04-26-2009 10:45 PM
Toshi, here is how to..
PIX/ASA 7.1 and earlier
pix(config)#isakmp nat-traversal 20
PIX/ASA 7.2(1) and later
securityappliance(config)#crypto isakmp nat-traversal 20
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
Regards
04-27-2009 04:28 AM
Jorge,
Thanks for for that. What happens when we do the following steps:
Step1. Clients configured to use transparent tunneling features(IPSec over UDP)
Step2. ASA has been configured a "crypto isakmp nat-traversal 20 " command.
Step3. There is no NAT device between clients and ASA.
Well, ASA will say that "Automatic NAT Detection Status: The remote end is behind a NAT device, This end is not behind a NAT device". Why?
I thought that would be
The remote end is behind a NAT device Because of Step 1.
This end is not behind a NAT device Because of the Automatic NAT detection features.
The result is "Clients can't connect and Phase-I won't complete".
When we changed the step3 to be as follows.
Step3. There is a NAT device between clients and ASA.
Everything will work as expected. UDP/500 and UDP/4500 will be used.
Have you ever seen this? However thanks for getting involved in this thread. 5P! anyway (grin)
Toshi
04-27-2009 12:58 PM
ASA will say that "Automatic NAT Detection Status: The remote end is behind a NAT device, This end is not behind a NAT device". Why?
Hi Toshi,Im not sure I quite understand part of your steps, had to read it couple of times :)
The message is simply the result of nat-traversal featured of asa detecting NAT device, not nessesarily if client is not behind nat device there may be NAT device along the path auto detected by ASA NAT-T feature.
When we changed the step3 to be as follows.
Step3. There is a NAT device between clients and ASA.
Everything will work as expected. UDP/500 and UDP/4500 will be used.
This is what is expected, works becuase there must be NAT device along the PATH that you are not aware of, perhaps ISP NAT router.
Reagrds
04-27-2009 06:43 PM
Jorge,
What I'm concerned about is that the ASA will use "Automatic NAT Detection" features.
not nessesarily if client is not behind nat device there may be NAT device along the path auto detected by ASA NAT-T feature.
Sometime you are not behind the NAT device. You may think about you are natted(static) at the only one device then connect to the ASA(PUBLIC IP). This will be a problem if we configured the VPN profile at the client to use IPSec over UDP. Because ASA will generate that error. It will tell you are behind the NAT device. Actually you are not but VPN profile tries to tell that way.
The solution is that you have to disable transparent tunneling features on the VPN profile at the client. This will get rid of confusing things when automatic nat detection is checking the packets.
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide