Re: vpn issues urgent

carl_townshend · ‎08-30-2007

Hi all, we have recently set up a remote access vpn using vpn client, this terminates on a asa5520, I am getting issues now where my clients connect fine to the vpn, and get a dhcp address etc, but then cant see anywhere inside my lan, it works fine from broadband etc at home, but I tried to access it via a vodaphone 3g card, and other users from other companies say they are now having this issue also, what could the problem be as routing surely is fine as they can get the vpn connected, please can anyone help ??

cheers

acomiskey · ‎08-30-2007

How about a config?

Make sure you have crypto isakmp nat-traversal.

carl_townshend · ‎08-30-2007

what does that do??

I dont understand why it does not work for some people, as they do get connected and get an ip address from the device, I cannot get a config at the moment, has anyone had any similar probs like this ??

cheers

acomiskey · ‎08-30-2007

carl,

This allows people coming from behind nat devices to use nat-t udp 4500. Your symptoms are exactly what would occur if it was not enabled. The client will connect but not be able to pass traffic.

This command is disabled by default and is the #1 issue for remote access vpns.

carl_townshend · ‎08-30-2007

thanks for that

Can you please explain what this exaclty does for the client end, and what does this command do ?

acomiskey · ‎08-30-2007

This allows vpn clients to have esp packets encapsulated in udp over port 4500. This is necessary for ipsec to pass through nat/pat devices.

Most likely, the clients you are not having problems with are not behind nat/pat devices.

http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2068300

carl_townshend · ‎08-30-2007

Is this all tunneled in port 80 ?

and how to I turn this command on via the ASDM manager ?

thanks for the prompt response

Carl

acomiskey · ‎08-30-2007

We're talking about ipsec vpn here right?

No, it is tunneled in udp port 4500.

Configuration -> VPN -> IKE -> Global Parameters -> Check box for "Enable IPSec over NAT-T"

carl_townshend · ‎08-30-2007

but how is this so, I thought vpn is tunneled across the web using port 80, as my firewall only allows clients to go out on port 80, how will it let port 4500 out ?

please explain

cheers

acomiskey · ‎08-30-2007

I'm sorry I don't understand what you mean.

VPN clients accessing your firewall are connecting on udp 500 or 4500, not port 80.

You may be allowing internal clients out on port 80, this has nothing to do with vpn clients connecting to your firewall.

Please explain.

carl_townshend · ‎08-30-2007

i always thought ipsec tunnels via port 80, so If I was behind a firewall internally, and wanted to allow vpn clients from inside to vpn out, would I need to allow them ports from inside to anywhere outside ?

cheers

acomiskey · ‎08-30-2007

carl,

You would need to allow them access to wherever they were attempting to vpn to.

I think we're getting off the subject a little. Did you try to enable nat-t in ASDM? Did it solve your problem?