Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VPN behind NAT - How to?

Hi Experts,

I have to allow an user from the internal network behind an ASA 5520 to access an external VPN server.

I've tried to connect the external VPN server from an external IP of our network and the user can connect correct correctly.

When I try to connect trom the INSIDE network of my ASA 5520 to the external VPN server, I cannot connect at all. Note that the inside network works correctly for any other service, like surfing the internet and accessing external servers.

The settings are as follows:

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address ************ ************

!

interface GigabitEthernet0/1

shutdown

nameif INTERNAL

security-level 100

ip address ************ ************

Can the problem be caused by the NAT? Do you know how I could solve this issue?

Thanks,

Dario

9 REPLIES
New Member

VPN behind NAT - How to?

Hi,

try adding ipsec-pass-thru inspection under the global policy map

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

If this doesn't work make sure that NAT-T is enable on the VPN server


VPN behind NAT - How to?

Hi Punit,

I've followed your suggestion but I have the following error:

Regular translation creation failed for protocol 47 src INTERNAL:192.168.100.1 dst OUTSIDE:***********

What can it be caused from?

Thanks,

Dario

New Member

VPN behind NAT - How to?

What type of VPN are you using?

The error above shows that you are using GRE from the internal network, if so ensure that IP address is Statically NATed to the OUTSIDE interface IP. You should also permit GRE traffic from the VPN server

VPN behind NAT - How to?

I've run the following commands without success:

access-list OUTSIDE_access_in extended permit gre any any

  static (INTERNAL,OUTSIDE) ***.***.***.*** ***.***.***.*** netmask 255.255.255.255

Can you please help me correct them?

thanks,

New Member

VPN behind NAT - How to?

the OUTSIDE in the Static Nat ip should be the External IP (OUTSIDE) of your network. (My mistake it should not be the interface IP) e.g.

static (INTERNAL,OUTSIDE)

the Access-list is fine.

VPN behind NAT - How to?

HI Punit,

Can we?

Thanks,

Dario

New Member

VPN behind NAT - How to?

Hi,

From my understanding you need to have the static nat, as it's not possilbe to use the external IP address for a static NAT, because you might be using it for PATing your internal network.

jni
New Member

VPN behind NAT - How to?

The problem isn't IPsec inspection or your NAT. The problem is the way PPTP communicates. Hence enable PPTP inspection. Don't enable GRE in your NAT ACL's.

Enter the following instead:

policy-map global_policy

class inspection_default

  inspect pptp

New Member

VPN behind NAT - How to?

This super.

policy-map global_policy

class inspection_default

inspect pptp

This solve my problem OK. Thanks.

1524
Views
0
Helpful
9
Replies
CreatePlease login to create content