Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5505 unable to VPN over a NAT'd address

Hi

I am trying to migrate to a ASA5505 from our pix.

Most of our network uses PAT on our outside interface but I have a small pool of address which I NAT to on the inside, but when I do this they are unable to VPN out to remote sites.

This worked great on the Pix but not on the ASA. I can see port udp 500 coming back to the client but port udp 4500 disappears on its return journey between the two ASA interfaces.

Regards

Chris

10 REPLIES

Re: ASA5505 unable to VPN over a NAT'd address

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

Hi

This is not a connection to the ASA. But a connection through it whilst using a NAT'd IP.

I have assigned a NAT to a PC on the inside of the ASA but when the PC opens a cisco vpn client and tries to connect to a remote cisco firewall the user is unable to connect, but when he uses a PAT'd address it works fine.

Thanks

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

hello,

What is the IP of your PC accordingly your configuration file ?

regards

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

Hi

The PC is 10.2.200.80

The old Pix line used to be

static (inside,outside) 10.2.254.80 10.2.200.80 netmask 255.255.255.240

for sixteen addresses.

I have just got it to work by using the following two lines

global (outside) 2 10.2.254.80

nat (inside) 2 10.2.200.80 255.255.255.255

I can't believe the above (times sixteen) is the only way to get it working is 32 lines instead of just using 1 line.

Thanks

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

Your configuration (with global) is a dynamic NAT so it's unidirectional while static is bidirectional.

Did you change something in the client configuration ?

what are the client parameters ?

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

I meant that this NAT configuration could determine the behavior of the server side by usinf NAT-transversal or not

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

I have done the isakmp nat-traversal but did not make any difference.

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

The client is default; group name, password and IP

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

Hi Chris,

when you added this line to ASA it didn't work? 'static (inside,outside) 10.2.254.80 10.2.200.80 netmask 255.255.255.240 '

B.Regards.

Community Member

Re: ASA5505 unable to VPN over a NAT'd address

Hi

It did work. I checked whatsmyip to confirm it was translating ok.

I can see udp 500 coming back to the client but udp 4500 only gets back as far as the outside interface but never exits the internal interface to reach the client.

So the NAT is definately working but it just does not pass back the udp 4500.

274
Views
0
Helpful
10
Replies
CreatePlease to create content