Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
2
Replies

Remote access vpn ESP problem

Go to solution
nika.katsitadze
Level 1
Level 1

‎02-06-2012 05:18 AM - edited ‎02-21-2020 05:51 PM

I have remote access vpn configured on cisco 2901 router. Everything works good exept ipad 2 3g. When i am connecting with ipad from 3g network it connects but  it is unable to access corporate resources. I talked to my telephone provaider and they told me that they have some nat problems with ESP. and adviced me to force vpn clients to use udp ports 500 and 4500. How i have to configure my router to accomplish this ?

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-06-2012 11:01 AM

Hello,

Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).

NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.

So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).

So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.

Julio

Do rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-06-2012 11:01 AM

Hello,

Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).

NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.

So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).

So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.

Julio

Do rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
nika.katsitadze
Level 1
Level 1
In response to Julio Carvajal

‎02-09-2012 10:20 PM

i added this command and everthing works perfect

crypto isakmp nat keepalive 20

thanks for your reply

0 Helpful
Customers Also Viewed These Support Documents