cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
429
Views
5
Helpful
5
Replies

IPSec over UDP, can login, but stop at that.

jeffrey.c
Level 1
Level 1

I have a set up my firewall (ASA5520) running 7.1(2), when I initiate a vpn client (cisco) to customer site. It goes thru the login process, gets an IP from the pool (IPSec over UDP). That when it stops. Can't ping any devices on the LAN.

If I connect to another customer (IPSec over TCP) it works, and if I put the client in front of the firewall, it again works (TCP or UDP).

My outbound access-list has been disabled, allowing everything to go out. My access list inbound is the normal usual web, smtp, etc..

Any idea why?

BTW after connecting the send bytes increases but received bytes is zero!!

5 Replies 5

Patrick Iseli
Level 7
Level 7

The remote site does not have the NAT Traversal configured.

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fd87d.html#wp1575273

isakmp nat-traversal

To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.

isakmp nat-traversal natkeepalive

no isakmp nat-traversal natkeepalive

Syntax Description

natkeepalive = Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.

Defaults = By default, NAT traversal (isakmp nat-traversal) is disabled.

Usage Guidelines :

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.

This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.

Examples

The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:

hostname(config)# isakmp enable

hostname(config)# isakmp nat-traversal 30

sincerely

Patrick

Hi Patrick,

I have already been through that NAT-Traversal.

enable the isakmp on the inside and outside (just for testing sake)

did the isakmp nat-traversal.

Still it connects, login, given a ip address , but cannot ping anything. the status show encrypting (transmit) but not decrypting (recev = zero)

The command has the be enabled on the Remote VPN Server not on the local one !!

sincerely

Patrick

mmm. think I got you now..

Will try to ask them to enable on their side.

Thanks!

Hi Patrick,

Problem solved. It is the remote router that somehow blocks the traffic from coming back after VPN login.

Common mistake when ppl forget to reset the router to do basic routing after adding in firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: