Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote access VPN with ASA not working when ASA is behind a NAT router

Hi,

I can make a remote access vpn with ASA using its outside IP, every thing goes well. As soon as I add static NAT on the router for ASA's outside IP & try vpn with the global IP following error comes on the ASA whereas I can see the translation on the router(udp-500-inside global is traslated to udp-500-inside-local IP)

PC------Router--------ASA

NAT-T is enabled on the ASA.

Can anyone share their experiences when ASA is behind a NAT box & how ASA can recognize its identity inside IPSEC packets sent by the client.....

Regards,

Ak

7 REPLIES

Re: Remote access VPN with ASA not working when ASA is behind a

Is the router configured for firewalling?

New Member

Re: Remote access VPN with ASA not working when ASA is behind a

Hi Andrew,

On behalf of my colleague I would like to inform you that Router is not configured for firewalling. IPSec traffic is directly coming to internet router and being forwarded to ASA.

Regards,

Re: Remote access VPN with ASA not working when ASA is behind a

OK - for NAT-T to work effectivley, both ends need to negotiate it and support it, does the remote end of the VPN have NAT-T settigns?

New Member

Re: Remote access VPN with ASA not working when ASA is behind a

On the other end , we are using Cisco VPN client and NAT-T is also configured there i.e IPSec over UDP ( NAT/PAT ) option.

Thanks

Re: Remote access VPN with ASA not working when ASA is behind a

Ahh yes - sorry I missed that in the original post, can I ask you to post the output from the VPN client log?  Also the router debug output - removing any sensitive information of course.

New Member

Re: Remote access VPN with ASA not working when ASA is behind a

According to the picture you have several retransmisions. When you use NAT-T the ASA will switch from using UDP 500 to UDP 4500 for the negotiation and to pass traffic.  Make sure that UDP 4500 is not getting blocked.

Cheers!

- Yamil

New Member

Re: Remote access VPN with ASA not working when ASA is behind a

every thing is allowed both on the firewall & the router.  I think there is some identity issue bc router is changing dst ip in the IP header & the IPSEC header is having a public IP not belonging to ASA.....lets see if some one faces similar issues. I am planning to assign public IPs directly on the firewall to avoid problem caused by NAT......

839
Views
0
Helpful
7
Replies
CreatePlease login to create content