Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Easy VPN connection with remote side behind NAT device

Hi,

I'm trying to build en Easy VPN connection between two ASA5505's. Initial configuration was simple and the tunnel is up. The problem is that I can't get any packets trough. A packet-trace in ASDM on the remote site reports IPSec spoof detected.

Any ideas?

14 REPLIES

Re: Easy VPN connection with remote side behind NAT device

Can you post your configs for a review - remove sensitive information.

HTH>

Community Member

Re: Easy VPN connection with remote side behind NAT device

Hi,

Here's the config of the clientside ASA. It connected to a LAN behind a NAT device.

I am having trouble getting my hands on the latest running config of the serverside. I will post it asap.

I am new to all this so I hope you can read the attached config.

Tanks in advance.

Re: Easy VPN connection with remote side behind NAT device

That config look sport on - if there is an issue it might be with the server end, below is a config example - check yours against it for anything that jumps out:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

HTH>

Community Member

Re: Easy VPN connection with remote side behind NAT device

Hi,

I had already read that article. There are some differences between the config in the example and the serverside runningconfig. Unfortunately I cannot find the exact problem. I will post the serverside runningconfig tomorrow and would appriciate it if you would take a peek at it.

Tanks in advance...

Re: Easy VPN connection with remote side behind NAT device

sure no problem.

Community Member

Re: Easy VPN connection with remote side behind NAT device

Hello,

As promised the serverside runningconfig.

Greetz...

Re: Easy VPN connection with remote side behind NAT device

try to issue the following comman

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

Community Member

Re: Easy VPN connection with remote side behind NAT device

Thanks for your reply.

I changed the serverside config, but still can't ping to a machine behind the client ASA.

Re: Easy VPN connection with remote side behind NAT device

have u added RRI

reverse route injuction?

Community Member

Re: Easy VPN connection with remote side behind NAT device

On the serverside I have added:

crypto dynamic-map outside_dyn_map 20 set reverse-route

Still no go...

Community Member

Re: Easy VPN connection with remote side behind NAT device

I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?

Re: Easy VPN connection with remote side behind NAT device

if u case like

internet---nat device--ASA--internal

and the vpn on the ASA

u need first static nat or portforward from the nat device to the ASA

u need the folling ports opned and nated staticly

esp

udp 500

and mybe udp 4500

to get the tunnel established

if helpful Rate

Community Member

Re: Easy VPN connection with remote side behind NAT device

Setup is like:

Lan1 --- ASA1 --- internet --- NAT_device --- ASA2 -- LAN2

Tunnel will be initiated from ASA2 to ASA1, shouldn't the nat device handle all natting dynamicaly?

Silver

Re: Easy VPN connection with remote side behind NAT device

Hi,

Can you enable NAT-T globally on both end ASAs and then check .

"isakmp nat-traversal 20 "

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899

When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.

HTH

Saju

Pls rate helpful posts

1025
Views
0
Helpful
14
Replies
CreatePlease to create content