Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn issues urgent

Hi all, we have recently set up a remote access vpn using vpn client, this terminates on a asa5520, I am getting issues now where my clients connect fine to the vpn, and get a dhcp address etc, but then cant see anywhere inside my lan, it works fine from broadband etc at home, but I tried to access it via a vodaphone 3g card, and other users from other companies say they are now having this issue also, what could the problem be as routing surely is fine as they can get the vpn connected, please can anyone help ??

cheers

11 REPLIES
Green

Re: vpn issues urgent

How about a config?

Make sure you have crypto isakmp nat-traversal.

New Member

Re: vpn issues urgent

what does that do??

I dont understand why it does not work for some people, as they do get connected and get an ip address from the device, I cannot get a config at the moment, has anyone had any similar probs like this ??

cheers

Green

Re: vpn issues urgent

carl,

This allows people coming from behind nat devices to use nat-t udp 4500. Your symptoms are exactly what would occur if it was not enabled. The client will connect but not be able to pass traffic.

This command is disabled by default and is the #1 issue for remote access vpns.

New Member

Re: vpn issues urgent

thanks for that

Can you please explain what this exaclty does for the client end, and what does this command do ?

Green

Re: vpn issues urgent

This allows vpn clients to have esp packets encapsulated in udp over port 4500. This is necessary for ipsec to pass through nat/pat devices.

Most likely, the clients you are not having problems with are not behind nat/pat devices.

http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2068300

New Member

Re: vpn issues urgent

Is this all tunneled in port 80 ?

and how to I turn this command on via the ASDM manager ?

thanks for the prompt response

Carl

Green

Re: vpn issues urgent

We're talking about ipsec vpn here right?

No, it is tunneled in udp port 4500.

Configuration -> VPN -> IKE -> Global Parameters -> Check box for "Enable IPSec over NAT-T"

New Member

Re: vpn issues urgent

but how is this so, I thought vpn is tunneled across the web using port 80, as my firewall only allows clients to go out on port 80, how will it let port 4500 out ?

please explain

cheers

Green

Re: vpn issues urgent

I'm sorry I don't understand what you mean.

VPN clients accessing your firewall are connecting on udp 500 or 4500, not port 80.

You may be allowing internal clients out on port 80, this has nothing to do with vpn clients connecting to your firewall.

Please explain.

New Member

Re: vpn issues urgent

i always thought ipsec tunnels via port 80, so If I was behind a firewall internally, and wanted to allow vpn clients from inside to vpn out, would I need to allow them ports from inside to anywhere outside ?

cheers

Green

Re: vpn issues urgent

carl,

You would need to allow them access to wherever they were attempting to vpn to.

I think we're getting off the subject a little. Did you try to enable nat-t in ASDM? Did it solve your problem?

145
Views
0
Helpful
11
Replies
CreatePlease to create content