?
Solved

Cisco ASA 5510 IPSec Passthrough

Posted on 2006-06-28
9
Medium Priority
?
9,598 Views
Last Modified: 2013-11-16
I need to enable VPN passthrough on our ASA 5510.
 
To be more specific, we have machines located on our inside private (NAT) network that need to use the Cisco VPN client to connect to remote Cisco VPN servers. At the moment they cannot do this. There must be a way to do this without needing to setup a 1 to 1 NAT or something like that
0
Comment
Question by:willp2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 17004973
Are you able to connect to the remote networks via Cisco VPN at all?
Or are you able to connect but not able to pass traffic?

If the latter, you will need to setup nat traversal to allow the encrypted traffic to go back as its originating from behind a nat device.  If you have a PIX at the other end - setup nat-t:
isakmp nat-traversal 20

If a VPN concentrator - you need to check the box for allowing nat-transparency.

Please advise on the above and we can assist further

hth
0
 
LVL 1

Author Comment

by:willp2
ID: 17005062
We can connect, but not pass traffic. The other end is Cisco, but I don't have control over it and just getting config info is a challenge.

As a temporary workaround we did a static NAT from one public address to one private address, but I'd like to be able to VPN from any machine on the inside network.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005104
nat traversal will fix the issue for you then - because you are behind nat, the IPSec traffic is not getting back to you correctly.

Even if you can temporarily get the techs who support the remote PIX/Conc to allow nat-traversal just to prove the point that this is what is causing the issue.
Our support dept have to VPN into sites a lot from inside our firewalls and nat traversal once configured on the remote end solves this issue.



0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:willp2
ID: 17005189
Just out of curiosity, what is it about being behind a Cisco firewall that prevents me from making this connection? I can do the same thing from behind Sonicwall, Checkpoint and Netscreen firewalls and I've never had to touch the local firewall as long as they were set to do allow IPSec pass trough.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005491
I don't think there is any difference between them as they all need to allo IPSec to pass through.  The difference with the PIX is that isakmp nat-traversal is not enabled by default.  
0
 
LVL 1

Author Comment

by:willp2
ID: 17005614
"isakmp nat-traversal 20, If a VPN concentrator - you need to check the box for allowing nat-transparency."

OK, just so I'm clear, do these changes need to be made on my local firewall or the remote VPN box? I tried doing this locally, but I think I need to get net-transparency turned on on the remote firewall is that correct?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17007503
Correct - unfortunately this can be difficult to arrange if you don't control the remote device, but it needs to be configured for your traffic to get back to you
0
 
LVL 1

Author Comment

by:willp2
ID: 17009950
OK thanks. I will comment again on the difference between the Cisco box and others. On all the other firewall's I mentioned, I didn't need to make a change on the remote end of the connection to make this work. Seem odd.

Thanks for your time and helpful comments
0
 
LVL 4

Expert Comment

by:itquestions
ID: 20035407
nat traversal was the perfect solution for us on an ASA 5510.  Thanks!
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question