04-12-2006 05:26 PM - edited 02-21-2020 02:22 PM
I have a set up my firewall (ASA5520) running 7.1(2), when I initiate a vpn client (cisco) to customer site. It goes thru the login process, gets an IP from the pool (IPSec over UDP). That when it stops. Can't ping any devices on the LAN.
If I connect to another customer (IPSec over TCP) it works, and if I put the client in front of the firewall, it again works (TCP or UDP).
My outbound access-list has been disabled, allowing everything to go out. My access list inbound is the normal usual web, smtp, etc..
Any idea why?
BTW after connecting the send bytes increases but received bytes is zero!!
04-12-2006 06:03 PM
The remote site does not have the NAT Traversal configured.
isakmp nat-traversal
To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
natkeepalive = Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
Defaults = By default, NAT traversal (isakmp nat-traversal) is disabled.
Usage Guidelines :
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enable
hostname(config)# isakmp nat-traversal 30
sincerely
Patrick
04-17-2006 01:41 PM
Hi Patrick,
I have already been through that NAT-Traversal.
enable the isakmp on the inside and outside (just for testing sake)
did the isakmp nat-traversal.
Still it connects, login, given a ip address , but cannot ping anything. the status show encrypting (transmit) but not decrypting (recev = zero)
04-17-2006 08:38 PM
The command has the be enabled on the Remote VPN Server not on the local one !!
sincerely
Patrick
04-17-2006 08:58 PM
mmm. think I got you now..
Will try to ask them to enable on their side.
Thanks!
04-20-2006 01:05 PM
Hi Patrick,
Problem solved. It is the remote router that somehow blocks the traffic from coming back after VPN login.
Common mistake when ppl forget to reset the router to do basic routing after adding in firewall.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: