Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
1
Replies

Remote Management over VPN - IP Unkown

fb_webuser
Level 6
Level 6

‎07-10-2013 09:00 AM - edited ‎03-10-2019 08:38 PM

Hi!

I've been thinking of a situation that I will face in the near future that I don't know how to solve.

I have configured a IOS Easy VPN Client to allow customers' to connect to our Project/Test network. To each customer we send a pre-configured ASA5505, acting VPN Client, to establish the tunnel.

However, there will be some problems managing that ASA5505 if the customer have a NAT device set between us and them, let me explain.

If there are no NAT device between the VPN Server and Client, I will be able to see the outside IP of the client when doing the "sh crypto isakmp sa"-command. And from that, I can use ASDM to connect to that IP.

However if there is a NAT device between the VPN Server and Client, when doing the "sh crypto isakmp sa"-command I will see the outside IP of the NAT device instead. So my question is, is there anyway I can find out what the IP is on the outside interface of the VPN Client if there are a NAT device in between?

Note: In some of the cases this is not a problem since we often get assigned IP's to use when we pre-configure the Client. But others want us to use DHCP on the outside leaving us clueless what the IP is.

---

Posted by WebUser Krishnakant Dixit from Cisco Support Community App

Labels:
0 Helpful
1 Reply 1

Ravi Singh
Level 7
Level 7

‎07-21-2013 10:04 PM

You have to enable NAT-T. NAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation (NAT) gateways. Network address translation breaks end-to-end connectivity.  Intercepting and modifying traffic can only be performed transparently  in the absence of secure encryption and authentication. NAT traversal  techniques are typically required for client-to-client networking  applications, especially peer-to-peer and Voice over IP (VoIP) deployments. Many techniques exist, but no single method works  in every situation since NAT behavior is not standardized. Many NAT  traversal techniques require assistance from a server at a publicly routable IP address.  Some methods use the server only when establishing the connection,  while others are based on relaying all data through it, which adds  bandwidth costs and increases latency, detrimental to real-time voice  and video communications.

Most NAT behavior-based techniques bypass enterprise security  policies. Enterprise security experts prefer techniques that explicitly  cooperate with NAT and firewalls, allowing NAT traversal while still  enabling marshalling at the NAT to enforce enterprise security policies.  From this point of view, the most promising IETF standards are Realm-Specific IP (RSIP) and Middlebox Communications (MIDCOM).

For more detail how NAT-T work see the below link

https://supportforums.cisco.com/docs/DOC-16591

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents