Solved

Cisco ASA 5510 IPSec Passthrough

Posted on 2006-06-28
9
9,543 Views
Last Modified: 2013-11-16
I need to enable VPN passthrough on our ASA 5510.
 
To be more specific, we have machines located on our inside private (NAT) network that need to use the Cisco VPN client to connect to remote Cisco VPN servers. At the moment they cannot do this. There must be a way to do this without needing to setup a 1 to 1 NAT or something like that
0
Comment
Question by:willp2
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 17004973
Are you able to connect to the remote networks via Cisco VPN at all?
Or are you able to connect but not able to pass traffic?

If the latter, you will need to setup nat traversal to allow the encrypted traffic to go back as its originating from behind a nat device.  If you have a PIX at the other end - setup nat-t:
isakmp nat-traversal 20

If a VPN concentrator - you need to check the box for allowing nat-transparency.

Please advise on the above and we can assist further

hth
0
 
LVL 1

Author Comment

by:willp2
ID: 17005062
We can connect, but not pass traffic. The other end is Cisco, but I don't have control over it and just getting config info is a challenge.

As a temporary workaround we did a static NAT from one public address to one private address, but I'd like to be able to VPN from any machine on the inside network.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005104
nat traversal will fix the issue for you then - because you are behind nat, the IPSec traffic is not getting back to you correctly.

Even if you can temporarily get the techs who support the remote PIX/Conc to allow nat-traversal just to prove the point that this is what is causing the issue.
Our support dept have to VPN into sites a lot from inside our firewalls and nat traversal once configured on the remote end solves this issue.



0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:willp2
ID: 17005189
Just out of curiosity, what is it about being behind a Cisco firewall that prevents me from making this connection? I can do the same thing from behind Sonicwall, Checkpoint and Netscreen firewalls and I've never had to touch the local firewall as long as they were set to do allow IPSec pass trough.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005491
I don't think there is any difference between them as they all need to allo IPSec to pass through.  The difference with the PIX is that isakmp nat-traversal is not enabled by default.  
0
 
LVL 1

Author Comment

by:willp2
ID: 17005614
"isakmp nat-traversal 20, If a VPN concentrator - you need to check the box for allowing nat-transparency."

OK, just so I'm clear, do these changes need to be made on my local firewall or the remote VPN box? I tried doing this locally, but I think I need to get net-transparency turned on on the remote firewall is that correct?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17007503
Correct - unfortunately this can be difficult to arrange if you don't control the remote device, but it needs to be configured for your traffic to get back to you
0
 
LVL 1

Author Comment

by:willp2
ID: 17009950
OK thanks. I will comment again on the difference between the Cisco box and others. On all the other firewall's I mentioned, I didn't need to make a change on the remote end of the connection to make this work. Seem odd.

Thanks for your time and helpful comments
0
 
LVL 4

Expert Comment

by:itquestions
ID: 20035407
nat traversal was the perfect solution for us on an ASA 5510.  Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question