Solved

Cisco ASA 5510 IPSec Passthrough

Posted on 2006-06-28
9
9,503 Views
Last Modified: 2013-11-16
I need to enable VPN passthrough on our ASA 5510.
 
To be more specific, we have machines located on our inside private (NAT) network that need to use the Cisco VPN client to connect to remote Cisco VPN servers. At the moment they cannot do this. There must be a way to do this without needing to setup a 1 to 1 NAT or something like that
0
Comment
Question by:willp2
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 17004973
Are you able to connect to the remote networks via Cisco VPN at all?
Or are you able to connect but not able to pass traffic?

If the latter, you will need to setup nat traversal to allow the encrypted traffic to go back as its originating from behind a nat device.  If you have a PIX at the other end - setup nat-t:
isakmp nat-traversal 20

If a VPN concentrator - you need to check the box for allowing nat-transparency.

Please advise on the above and we can assist further

hth
0
 
LVL 1

Author Comment

by:willp2
ID: 17005062
We can connect, but not pass traffic. The other end is Cisco, but I don't have control over it and just getting config info is a challenge.

As a temporary workaround we did a static NAT from one public address to one private address, but I'd like to be able to VPN from any machine on the inside network.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005104
nat traversal will fix the issue for you then - because you are behind nat, the IPSec traffic is not getting back to you correctly.

Even if you can temporarily get the techs who support the remote PIX/Conc to allow nat-traversal just to prove the point that this is what is causing the issue.
Our support dept have to VPN into sites a lot from inside our firewalls and nat traversal once configured on the remote end solves this issue.



0
 
LVL 1

Author Comment

by:willp2
ID: 17005189
Just out of curiosity, what is it about being behind a Cisco firewall that prevents me from making this connection? I can do the same thing from behind Sonicwall, Checkpoint and Netscreen firewalls and I've never had to touch the local firewall as long as they were set to do allow IPSec pass trough.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 19

Expert Comment

by:nodisco
ID: 17005491
I don't think there is any difference between them as they all need to allo IPSec to pass through.  The difference with the PIX is that isakmp nat-traversal is not enabled by default.  
0
 
LVL 1

Author Comment

by:willp2
ID: 17005614
"isakmp nat-traversal 20, If a VPN concentrator - you need to check the box for allowing nat-transparency."

OK, just so I'm clear, do these changes need to be made on my local firewall or the remote VPN box? I tried doing this locally, but I think I need to get net-transparency turned on on the remote firewall is that correct?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17007503
Correct - unfortunately this can be difficult to arrange if you don't control the remote device, but it needs to be configured for your traffic to get back to you
0
 
LVL 1

Author Comment

by:willp2
ID: 17009950
OK thanks. I will comment again on the difference between the Cisco box and others. On all the other firewall's I mentioned, I didn't need to make a change on the remote end of the connection to make this work. Seem odd.

Thanks for your time and helpful comments
0
 
LVL 4

Expert Comment

by:itquestions
ID: 20035407
nat traversal was the perfect solution for us on an ASA 5510.  Thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now