cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4942
Views
5
Helpful
4
Replies

How to force ASA to use udp/4500 all the time?

Hi all,

I just want to know how to force ASA use udp/4500 as a phase-II of IPSec VPN all the time. How to disable Automatic NAT Detection features?

Toshi

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Toshi, here is how to..

PIX/ASA 7.1 and earlier

pix(config)#isakmp nat-traversal 20

PIX/ASA 7.2(1) and later

securityappliance(config)#crypto isakmp nat-traversal 20

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

Regards

Jorge Rodriguez

Jorge,

Thanks for for that. What happens when we do the following steps:

Step1. Clients configured to use transparent tunneling features(IPSec over UDP)

Step2. ASA has been configured a "crypto isakmp nat-traversal 20 " command.

Step3. There is no NAT device between clients and ASA.

Well, ASA will say that "Automatic NAT Detection Status: The remote end is behind a NAT device, This end is not behind a NAT device". Why?

I thought that would be

The remote end is behind a NAT device Because of Step 1.

This end is not behind a NAT device Because of the Automatic NAT detection features.

The result is "Clients can't connect and Phase-I won't complete".

When we changed the step3 to be as follows.

Step3. There is a NAT device between clients and ASA.

Everything will work as expected. UDP/500 and UDP/4500 will be used.

Have you ever seen this? However thanks for getting involved in this thread. 5P! anyway (grin)

Toshi

ASA will say that "Automatic NAT Detection Status: The remote end is behind a NAT device, This end is not behind a NAT device". Why?

Hi Toshi,Im not sure I quite understand part of your steps, had to read it couple of times :)

The message is simply the result of nat-traversal featured of asa detecting NAT device, not nessesarily if client is not behind nat device there may be NAT device along the path auto detected by ASA NAT-T feature.

When we changed the step3 to be as follows.

Step3. There is a NAT device between clients and ASA.

Everything will work as expected. UDP/500 and UDP/4500 will be used.

This is what is expected, works becuase there must be NAT device along the PATH that you are not aware of, perhaps ISP NAT router.

Reagrds

Jorge Rodriguez

Jorge,

What I'm concerned about is that the ASA will use "Automatic NAT Detection" features.

not nessesarily if client is not behind nat device there may be NAT device along the path auto detected by ASA NAT-T feature.

Sometime you are not behind the NAT device. You may think about you are natted(static) at the only one device then connect to the ASA(PUBLIC IP). This will be a problem if we configured the VPN profile at the client to use IPSec over UDP. Because ASA will generate that error. It will tell you are behind the NAT device. Actually you are not but VPN profile tries to tell that way.

The solution is that you have to disable transparent tunneling features on the VPN profile at the client. This will get rid of confusing things when automatic nat detection is checking the packets.

Toshi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: