Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP Client

Hello Support Community,

I have a problem with VPN Passthrough with a NCP Client and Cisco ASA 5520 Version 8.4(3)

A VPN IPSec Connection with a Cisco VPN Client through the Cisco ASA works fine.

The NCP Client establish a connection with Source and Destination UDP 4500 to the remote VPN Gateway and the connection setup is aborted.

If I establish a connection with a NCP Client on a Virtual Machine with NAT , the connection setup works fine.

A connection setup under VM in Bridge mode is also aborted.

The VPN Passthrough problem with the NCP Client started with the Update to version 8.4(3)

The connection worked very well until version 8.2(5).

Someone knows the problem?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP C

CSCtq32213    VPN ports not removed from pat port pool when crypto map is applied.

The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying

to connect to his company vpn),

it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.

This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there.

This will limit users from connecting to our vpn where the gateway is our ASA's outside IP

Workaround:



Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination

' command from the configuration and reload the ASA.

Fixed-In Fixed-in

8.4(4)

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
6 REPLIES
New Member

Re: Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP C

I have encountered a very similar problem.  Some customers and partners require us to use a remote access VPN to support them.  When the firewall was running 8.2(5) it worked fine.  It now requires some annoying hacks to make it work on 8.4(3).  My least favorite of these hacks is a 'magical' NAT that prevents inside hosts from stealing port 500.

Here is what I did and it seems to be working (but is definitely ugly):

configure terminal
 object network VPN-endpoint
  description Prevent inside hosts from stealing VPN endpoint with PAT
  host 172.16.0.1
  nat (any,outside) static interface service udp isakmp isakmp
  exit
 access-list ipsecpassthroughacl extended permit udp any any eq isakmp
 access-list ipsecpassthroughacl extended permit object-group TCPUDP any any eq 4500
 class-map ipsecpassthru-traffic
  match access-list ipsecpassthroughacl
  exit
 policy-map type inspect ipsec-pass-thru iptmap
  parameters
   esp
   ah
   exit
  exit
 policy-map inspection_policy
  class ipsecpassthru-traffic
   inspect ipsec-pass-thru iptmap
   exit
  exit
 service-policy inspection_policy interface outside
 exit
New Member

Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP Clien

Hi Alain,

thank you for the information.

I will try it next week.

Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP Clien

Hello Stephan,

That is correct, there is a bug about what Alain just told you.

I have worked on this issues and the thing is that the ASA is unable to hold or safe those ports for the VPN connections ( he starts doing PAT on ports 500 and 4500).

There are some work-arounds like using TCP based ( 10000) but I have seen how it behaves the same way, so my recomendation would be to do an upgrade ASAP to make this work.

I will provide you the bug ID tomorrow morning .

Regards,

Do rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP C

Thank you Julio

Is this issue fixed in 8.4(4.1)?

Thanks,

Alain

Re: Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP C

CSCtq32213    VPN ports not removed from pat port pool when crypto map is applied.

The issue is that if you have a client which uses outbound vpn other through your ASA (like one of your consultant from your network trying

to connect to his company vpn),

it will create an xlate for 4500 udp port, if you have the dynamic NAT given for your outside interface IP.

This will engage the 4500 UDP port on ASA and will not release this xlate entry and will remain there.

This will limit users from connecting to our vpn where the gateway is our ASA's outside IP

Workaround:



Use the 'clear xlate' command to clear the dynamically created xlate if the problem occurs. To prevent the problem from occurring in the first place, remove the 'flow-export destination

' command from the configuration and reload the ASA.

Fixed-In Fixed-in

8.4(4)

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Cisco ASA Version 8.4(3): VPN Passthrough Problem with NCP Clien

Julio,

the update to version 8.4 (4.1) has fixed the problem.

Regards,

Stephan

4221
Views
8
Helpful
6
Replies