I need some help. I am trying to setup out new ASA 5510, and I am stuck. Everything looks to work with my internal and DMZ interface, but I am having a problem with trying to contect out to one of our clients sites via VPN. We use Cisco VPN to connect to on of our client sites, and the client is configured as IPSEC over UDP. I have tried the ISAKMP nat-transversal 3600 with no luck. I started by following the steps in the getting started guide to get NAT and the DMZ setup. Also I am going to have my web server in the DMZ talk to a SQL server on the inside that I havn't setup yet, and I am going to have a smtp smart-host in the DMZ that will send to my internal Exchange. So if I am completly off base on my NAT config for internal and DMZ please let me know.l
I have posted a sanitized copy of my config. There is not much in it yet as I am trying to make sure everything functions before opening up to our internal resources. Also I plan on implenting VPN on the ASA in the future, but I havn't gotten that far, so hopefully the fix won't prevent that. Any help will be apprieciated.
Just to confirm. You are trying to run a VPN client from the inside network through your ASA to the remote site ?.
If i have understood correctly there are a couple of things
1) You need nat-travseral on the remote site firewall not your local one
2) You only need nat-traversal if you are natting the source IP addresses. You could do a nat exmeption for the client VPN's but obviously this won't work if you can't distinguish between a vpn client machine and a non vpn clien machine on your internal network.
Yes I am trying to run a VPN client from the inside network through our ASA to the remote site. Its been about 5 years since I last setup a NAT on any CISCO device or worked with CISCO products so I am a little rusty. Is there a feature similar to IPSEC pass-through available, like on a Linksys cable/dsl router? As I know I can connect with a Linksys device (I used one to test and make sure it wasn't something the ISP was doing on their router).
As far as i know the ASA does not support IPSEC passthru although if anyone knows differently please jump in.
If it doesn't you have the 2 options i outlined
1) Enable NAT-T on your client and the remote firewall. Note that you will need to allow UDP 4500 throgh your local ASA firewall in addition to the normal ISPEC.
2) Nat exempt your clients if you can. If the VPN clients are the same clients that you need to NAT if they go out the firewall to other locations you could use policy NAT eg if the remote network was 172.16.5.0/24 and the local network 192.168.1.0/24
access-list pnat permit ip 192.168.1.0 255.255.255.0 172.16.5.0 255.255.255.0
Thanks for all the help. You pointed me in the right direction with the policy nat idea. I actually found a couple of problems with my config, one being in how I setup the global pools. Once I fixed that and setup a policy nat to allow access to this ones clients site using policy nat to a small pool of public IPs I was connecting with no problems.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...