Cisco ASA 5510 IPSec Passthrough

I need to enable VPN passthrough on our ASA 5510.
 
To be more specific, we have machines located on our inside private (NAT) network that need to use the Cisco VPN client to connect to remote Cisco VPN servers. At the moment they cannot do this. There must be a way to do this without needing to setup a 1 to 1 NAT or something like that
LVL 1
willp2Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
nodiscoConnect With a Mentor Commented:
Are you able to connect to the remote networks via Cisco VPN at all?
Or are you able to connect but not able to pass traffic?

If the latter, you will need to setup nat traversal to allow the encrypted traffic to go back as its originating from behind a nat device.  If you have a PIX at the other end - setup nat-t:
isakmp nat-traversal 20

If a VPN concentrator - you need to check the box for allowing nat-transparency.

Please advise on the above and we can assist further

hth
0
 
willp2Author Commented:
We can connect, but not pass traffic. The other end is Cisco, but I don't have control over it and just getting config info is a challenge.

As a temporary workaround we did a static NAT from one public address to one private address, but I'd like to be able to VPN from any machine on the inside network.
0
 
nodiscoCommented:
nat traversal will fix the issue for you then - because you are behind nat, the IPSec traffic is not getting back to you correctly.

Even if you can temporarily get the techs who support the remote PIX/Conc to allow nat-traversal just to prove the point that this is what is causing the issue.
Our support dept have to VPN into sites a lot from inside our firewalls and nat traversal once configured on the remote end solves this issue.



0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
willp2Author Commented:
Just out of curiosity, what is it about being behind a Cisco firewall that prevents me from making this connection? I can do the same thing from behind Sonicwall, Checkpoint and Netscreen firewalls and I've never had to touch the local firewall as long as they were set to do allow IPSec pass trough.
0
 
nodiscoCommented:
I don't think there is any difference between them as they all need to allo IPSec to pass through.  The difference with the PIX is that isakmp nat-traversal is not enabled by default.  
0
 
willp2Author Commented:
"isakmp nat-traversal 20, If a VPN concentrator - you need to check the box for allowing nat-transparency."

OK, just so I'm clear, do these changes need to be made on my local firewall or the remote VPN box? I tried doing this locally, but I think I need to get net-transparency turned on on the remote firewall is that correct?
0
 
nodiscoCommented:
Correct - unfortunately this can be difficult to arrange if you don't control the remote device, but it needs to be configured for your traffic to get back to you
0
 
willp2Author Commented:
OK thanks. I will comment again on the difference between the Cisco box and others. On all the other firewall's I mentioned, I didn't need to make a change on the remote end of the connection to make this work. Seem odd.

Thanks for your time and helpful comments
0
 
itquestionsCommented:
nat traversal was the perfect solution for us on an ASA 5510.  Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.