Hi all, we have recently set up a remote access vpn using vpn client, this terminates on a asa5520, I am getting issues now where my clients connect fine to the vpn, and get a dhcp address etc, but then cant see anywhere inside my lan, it works fine from broadband etc at home, but I tried to access it via a vodaphone 3g card, and other users from other companies say they are now having this issue also, what could the problem be as routing surely is fine as they can get the vpn connected, please can anyone help ??
what does that do??
I dont understand why it does not work for some people, as they do get connected and get an ip address from the device, I cannot get a config at the moment, has anyone had any similar probs like this ??
This allows people coming from behind nat devices to use nat-t udp 4500. Your symptoms are exactly what would occur if it was not enabled. The client will connect but not be able to pass traffic.
This command is disabled by default and is the #1 issue for remote access vpns.
This allows vpn clients to have esp packets encapsulated in udp over port 4500. This is necessary for ipsec to pass through nat/pat devices.
Most likely, the clients you are not having problems with are not behind nat/pat devices.
We're talking about ipsec vpn here right?
No, it is tunneled in udp port 4500.
Configuration -> VPN -> IKE -> Global Parameters -> Check box for "Enable IPSec over NAT-T"
but how is this so, I thought vpn is tunneled across the web using port 80, as my firewall only allows clients to go out on port 80, how will it let port 4500 out ?
I'm sorry I don't understand what you mean.
VPN clients accessing your firewall are connecting on udp 500 or 4500, not port 80.
You may be allowing internal clients out on port 80, this has nothing to do with vpn clients connecting to your firewall.
i always thought ipsec tunnels via port 80, so If I was behind a firewall internally, and wanted to allow vpn clients from inside to vpn out, would I need to allow them ports from inside to anywhere outside ?
You would need to allow them access to wherever they were attempting to vpn to.
I think we're getting off the subject a little. Did you try to enable nat-t in ASDM? Did it solve your problem?