Solved

Cisco ASA 5510 IPSec Passthrough

Posted on 2006-06-28
9
9,579 Views
Last Modified: 2013-11-16
I need to enable VPN passthrough on our ASA 5510.
 
To be more specific, we have machines located on our inside private (NAT) network that need to use the Cisco VPN client to connect to remote Cisco VPN servers. At the moment they cannot do this. There must be a way to do this without needing to setup a 1 to 1 NAT or something like that
0
Comment
Question by:willp2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 17004973
Are you able to connect to the remote networks via Cisco VPN at all?
Or are you able to connect but not able to pass traffic?

If the latter, you will need to setup nat traversal to allow the encrypted traffic to go back as its originating from behind a nat device.  If you have a PIX at the other end - setup nat-t:
isakmp nat-traversal 20

If a VPN concentrator - you need to check the box for allowing nat-transparency.

Please advise on the above and we can assist further

hth
0
 
LVL 1

Author Comment

by:willp2
ID: 17005062
We can connect, but not pass traffic. The other end is Cisco, but I don't have control over it and just getting config info is a challenge.

As a temporary workaround we did a static NAT from one public address to one private address, but I'd like to be able to VPN from any machine on the inside network.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005104
nat traversal will fix the issue for you then - because you are behind nat, the IPSec traffic is not getting back to you correctly.

Even if you can temporarily get the techs who support the remote PIX/Conc to allow nat-traversal just to prove the point that this is what is causing the issue.
Our support dept have to VPN into sites a lot from inside our firewalls and nat traversal once configured on the remote end solves this issue.



0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 1

Author Comment

by:willp2
ID: 17005189
Just out of curiosity, what is it about being behind a Cisco firewall that prevents me from making this connection? I can do the same thing from behind Sonicwall, Checkpoint and Netscreen firewalls and I've never had to touch the local firewall as long as they were set to do allow IPSec pass trough.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17005491
I don't think there is any difference between them as they all need to allo IPSec to pass through.  The difference with the PIX is that isakmp nat-traversal is not enabled by default.  
0
 
LVL 1

Author Comment

by:willp2
ID: 17005614
"isakmp nat-traversal 20, If a VPN concentrator - you need to check the box for allowing nat-transparency."

OK, just so I'm clear, do these changes need to be made on my local firewall or the remote VPN box? I tried doing this locally, but I think I need to get net-transparency turned on on the remote firewall is that correct?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 17007503
Correct - unfortunately this can be difficult to arrange if you don't control the remote device, but it needs to be configured for your traffic to get back to you
0
 
LVL 1

Author Comment

by:willp2
ID: 17009950
OK thanks. I will comment again on the difference between the Cisco box and others. On all the other firewall's I mentioned, I didn't need to make a change on the remote end of the connection to make this work. Seem odd.

Thanks for your time and helpful comments
0
 
LVL 4

Expert Comment

by:itquestions
ID: 20035407
nat traversal was the perfect solution for us on an ASA 5510.  Thanks!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question