Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2283
Views
0
Helpful
6
Replies

ASA: disable ipsec over udp

hegegabor
Level 1
Level 1

‎09-24-2009 07:57 AM - edited ‎02-21-2020 04:20 PM

Hi,

I have a question,

How can I configure on the ASA that vpn users (with cisco vpn client) cannot connect to the it with udp.

Cisco says, By default the ipsec over udp is disabled.

But not. I can connect ipsec over udp.

I tried the ipsec-udp disable command on the group policy but nothing changed.

what is the solution?

is it a bug? or I forgot something?

pls help,

thank you

Gabor

Labels:
0 Helpful
6 Replies 6

hegegabor
Level 1
Level 1

‎09-24-2009 02:03 PM

sorry for my english I'm pretty tired :)

but I think you know what I want...

(disable the udp vpn connections)

0 Helpful

auraza
Cisco Employee
Cisco Employee

‎09-28-2009 11:38 AM

Gabor:

By default, if there is a UDP device in the middle, ASA will use IPsec over NAT-T, which is UDP 4500, and using the ipsec-udp disable command will not disable that. It will only disable IPSec over UDP over any other port, which is different from NAT-T, though the functionality is essentially the same.

Do you want to use IPSec over TCP instead? If yes, then you could enable that. The document below shows how that can be done. To disable nat-t, you do:

no crypto isakmp nat-t

Please rate if this was helpful

0 Helpful

hegegabor
Level 1
Level 1
In response to auraza

‎10-06-2009 03:24 AM

Hi,

Yes I want allow just "IPSec over TCP" in the client for the connection.

but still not works.

I tried "no crypto isakmp nat-t" but not works.

I set the "ipsec-udp disable" on the group policy too but not helped,- i know this is not what I need-

The user still can connect to the vpn, not depend on the transport (I mean enable or disable Transparent tunneling, and udp(NAT/PAT) or TCP is checked.)

in the cisco vpn client.

What is the solution?

Thank you.

0 Helpful

auraza
Cisco Employee
Cisco Employee
In response to hegegabor

‎10-06-2009 05:55 AM

Gabor,

Please can you paste the output of the following here:

show run all crypto

show run all group-policy

show run all tunnel-group

In addition to that, please can you attach the profile file from the VPN client as well?

0 Helpful

hegegabor
Level 1
Level 1
In response to auraza

‎10-06-2009 07:00 AM

Hi,

all settings is in the attachment.

This is an asa5520 device.

The user with this configuration can connect but I want that the user can connect only with this configuration:

[client file]

EnableNat=1

TunnelingMode=1

ty

Gabor

26814-asa_cfg
0 Helpful

hegegabor
Level 1
Level 1
In response to hegegabor

‎10-14-2009 07:02 AM

Now it works, not let user use ipsec over udp, but I change nothing, what is important.

I think there is something problem with the refreshing.

now, I set the "crypto isakmp nat-traversal 20" and not let the user use ipsec over udp (NAT/PAT), but would have had to..

Gabor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents