Hi all. I have configured vpn for users to remote access to 2 offices. I realised that when i could not vpn into officeB from officeA and vise versa.However i could vpn into officeA and officeB from home. I then added crypto isakmp nat-traversal 20 to both my cisco5510 firewall in both offices. After that i could vpn from officeA to officeB and vise versa. I understand that by allowing nat-t it solves the conflict that nat has with ipsec. But i do not understand why it would work from my home without adding nat-t since my pc would be behind my home router and would be translated to a public ip.
Hi. Sorry for late reply. Yes my smc router comes with build in vpn pass thru feature. However my main office also using asa5510 could access all other offices, by using vpn and accessing the remote resource over vpn. The other offices have no problem connecting to one another via vpn but could not access the resource of the other end over vpn. Hence i believe that vpn pass thru is configured on my main office asa. Can anyone tell me which is the statement that enables vpn pass through as attached below?
ip address 20.11x.x.x 255.255.255.0
ip address 192.168.1x.x 255.255.255.0
ip address 192.168.2x.x 255.255.255.0
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit esp any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit esp any any
Can you post configuration of nat(inside) and global (outside), fixup protocol etc also check if the ip address of the host(from where you do VPN) at your main office is not statically NAT'ed. Static NAT will not block ESP(VPN) , it is only PAT which blocks the ESP as esp protocol do not have a port.
Hi Saju, I have posted the config u requested as below. Pls note that there is no fixup protocol configured. The below config shows that ip address of hosts are translated to a public ip available from a pool. Hence is this still consider PAT? Pls note 172.x.x.x are IPs given to remote host trying to vpn in my main office firewall. Thks in advance.
The above statement means there is one to one translation until it gets exhausted and then it goes to PAT.
global (outside) 1 20x.1x.x.x
, and if the host from where vpn client is connected is Dynamically NAt'ed (one to one ip) , this will pass ESP protocol. So it gets although dynamically assigned ip from pool but it gets a dedicated ip on which it can send esp packets (encryption payload).
The tunnel is built through PAT but no traffic flows across because the Ipsec consists of two protcocols Isakmp and Esp. Isakmp is udp 500 hence can pass through PAT and is responsible for signalling , building of tunnel but it is ESP which actually carries data and is unable to passthrough PAT as it has no ports.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...