Allow 3 users to use Cisco VPN client behind ASA to external source?

Unanswered Question
Nov 26th, 2009

Hello,

I have a ASA 5520 (8.0.4) and need 3 internal users to be able to use their Cisco VPN clients to an external source.  It seems one can connect but the other 2 can't.

I created an access list that included their local IP's and opened ports TCP/10000, UDP/4500 and UDP/500.

We use 1 global IP for outbound connections, could this be a NAT issues as they all use the same external IP (outside of ASA)?

If so I think we have a spare couple external IP's.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Thu, 11/26/2009 - 06:57

I see you opened UDP 500 and UDP 4500, however, did you enable NAT traversal on the firewall?  If you're using IPSEC over TCP, you'll need to specify that in the firewall running configuration as well:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

Are you saying only 1 user can connect at a time or only a single user is able to connect?

I've seen numerous occasions where multiple internal users are able to initiate a VPN connection from a single PAT IP so this should not be an issue.

Andy White Thu, 11/26/2009 - 07:34

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters section in the ASDM:

nat.JPG

Andy White Thu, 11/26/2009 - 07:34

Well, only one could connect earlier, and now all 3 can, seems to be intermittent, he is what I have under the IPsec > IKE Parameters  in the ASDM:

nat.JPG

Kent Heide Thu, 11/26/2009 - 11:15

AFAIK those are for the VPN's themselves and not for VPN's traversing firewall. Those features are what you would enable on the VPN server/hub. (Should be enabled regardless).

Have you opened up ESP/AH in your access-list ? You need it for phase2.

Andy White Thu, 11/26/2009 - 13:55

I've searched the ASA config and I can't find:

isakmp nat-traversal

isakmp ipsec-over-tcp port 10000

I don't inderstand nat-traversal, but have just read http://en.wikipedia.org/wiki/NAT_traversal and it seems to me that I do need those commands added for these internal users to be able to use their VPN clients outbound.  Like most firewalls ours NAT (well PAT) outbound user traffic and it says NAT can break the "end to end" connectivity for IPSec VPN's as I suppose traffic on the way back to the outside of the ASA gets lost on where to find the inside host??

Somehow nat-traversal can help, but I don't have Encapsulating Security Payload (ESP) open, is this outbound? and what port number is this?

Patrick0711 Thu, 11/26/2009 - 14:00

It's a good idea to have all of the following ports opened:

UDP 500 (ISAKMP)

IP Protocol 50 (ESP)

UDP 4500 (ESP NAT-T)

TCP 10000 (TCP over IPSEC)

NAT Traversal MUST be enabled since a traditional ESP packet cannot traverse a PAT environment since there's no UDP/TCP port number.  NAT-Traversal or TCP over IPSEC appends a TCP or UDP packet after the IP header and before the ESP header to allow the firewall to read the port number to successfully PAT the traffic outbound.

Don't bother opening AH...it's not necessary for a client VPN connection.

Actions

This Discussion