Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
7
Replies

Remote access VPN with ASA not working when ASA is behind a NAT router

nedian123
Level 1
Level 1

‎12-16-2009 07:11 AM - edited ‎02-21-2020 04:25 PM

Hi,

I can make a remote access vpn with ASA using its outside IP, every thing goes well. As soon as I add static NAT on the router for ASA's outside IP & try vpn with the global IP following error comes on the ASA whereas I can see the translation on the router(udp-500-inside global is traslated to udp-500-inside-local IP)

PC------Router--------ASA

NAT-T is enabled on the ASA.

Can anyone share their experiences when ASA is behind a NAT box & how ASA can recognize its identity inside IPSEC packets sent by the client.....

Regards,

Ak

Labels:
Preview file
34 KB
0 Helpful
7 Replies 7

andrew.prince
Level 10
Level 10

‎12-17-2009 02:12 AM

Is the router configured for firewalling?

0 Helpful

rmujeeb81
Level 1
Level 1
In response to andrew.prince

‎12-17-2009 03:24 AM

Hi Andrew,

On behalf of my colleague I would like to inform you that Router is not configured for firewalling. IPSec traffic is directly coming to internet router and being forwarded to ASA.

Regards,

0 Helpful

andrew.prince
Level 10
Level 10
In response to rmujeeb81

‎12-17-2009 04:03 AM

OK - for NAT-T to work effectivley, both ends need to negotiate it and support it, does the remote end of the VPN have NAT-T settigns?

0 Helpful

rmujeeb81
Level 1
Level 1
In response to andrew.prince

‎12-17-2009 04:18 AM

On the other end , we are using Cisco VPN client and NAT-T is also configured there i.e IPSec over UDP ( NAT/PAT ) option.

Thanks

0 Helpful

andrew.prince
Level 10
Level 10
In response to rmujeeb81

‎12-17-2009 04:20 AM

Ahh yes - sorry I missed that in the original post, can I ask you to post the output from the VPN client log?  Also the router debug output - removing any sensitive information of course.

0 Helpful

yamramos.tueme
Level 1
Level 1
In response to andrew.prince

‎12-17-2009 10:40 AM

According to the picture you have several retransmisions. When you use NAT-T the ASA will switch from using UDP 500 to UDP 4500 for the negotiation and to pass traffic.  Make sure that UDP 4500 is not getting blocked.

Cheers!

- Yamil

0 Helpful

nedian123
Level 1
Level 1
In response to yamramos.tueme

‎12-19-2009 01:40 PM

every thing is allowed both on the firewall & the router.  I think there is some identity issue bc router is changing dst ip in the IP header & the IPSEC header is having a public IP not belonging to ASA.....lets see if some one faces similar issues. I am planning to assign public IPs directly on the firewall to avoid problem caused by NAT......

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents