ahmedjoo
asked on
Cisco ASA VPN Passthrough
I have a router behind my ASA firewall that terminates VPN client connections. I want to allow the VPN connections to passthrough the ASA to the router at 172.16.1.2 on the inside interface of the ASA. I started by entering:
static (inside,outside) tcp interface 50 172.16.1.2 50
static (inside,outside) tcp interface 51 172.16.1.2 51
static (inside,outside) udp interface 500 172.16.1.2 500, however this one errors:
ERROR: unable to reserve port 500 for static PAT
ERROR: unable to download policy
What does this mean and how do I fix it? Is this even the right way to go about allowing the VPN traffic to pass through to the router and authenticate?
Thanks in advance.
static (inside,outside) tcp interface 50 172.16.1.2 50
static (inside,outside) tcp interface 51 172.16.1.2 51
static (inside,outside) udp interface 500 172.16.1.2 500, however this one errors:
ERROR: unable to reserve port 500 for static PAT
ERROR: unable to download policy
What does this mean and how do I fix it? Is this even the right way to go about allowing the VPN traffic to pass through to the router and authenticate?
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies but perhaps I wasn't clear on what I am trying to accomplish.
I have an ASA with an outside IP of 192.168.0.67.
I would like to map 192.168.0.68 on the ASA to the router on the inside of the ASA at 172.16.1.2.
The router terminates VPN clients that will be using the Cisco VPN Client.
I want to point the client software to 192.168.0.68 and have the ASA pass the traffic through to the router to terminate and authenticate the VPN connection.
The clients should then be able to access the network on the inside of the router, 10.2.2.0/24
FYI, these aren't my real IPs obviously but instead are used for this example.
I hope this is more clear. Thanks again.
I have an ASA with an outside IP of 192.168.0.67.
I would like to map 192.168.0.68 on the ASA to the router on the inside of the ASA at 172.16.1.2.
The router terminates VPN clients that will be using the Cisco VPN Client.
I want to point the client software to 192.168.0.68 and have the ASA pass the traffic through to the router to terminate and authenticate the VPN connection.
The clients should then be able to access the network on the inside of the router, 10.2.2.0/24
FYI, these aren't my real IPs obviously but instead are used for this example.
I hope this is more clear. Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please see my first post, ikalmar. Your suggestion is what I tried originally but:
static (inside,outside) udp 192.168.0.68 500 172.16.1.2 500
causes
ERROR: unable to reserve port 500 for static PAT
ERROR: unable to download policy
You also posted earlier that:
ikalmar:
sorry you not able to pat UDP 500, becouse you use it for VPN!
Is there a way to override this and map UDP 500 anyway?
static (inside,outside) udp 192.168.0.68 500 172.16.1.2 500
causes
ERROR: unable to reserve port 500 for static PAT
ERROR: unable to download policy
You also posted earlier that:
ikalmar:
sorry you not able to pat UDP 500, becouse you use it for VPN!
Is there a way to override this and map UDP 500 anyway?
ASKER
Never mind those commands were accepted however even though I see this on the ASA:
access-list outside line 6 extended permit udp any host 24.249.90.68 eq isakmp (hitcnt=4)
Each time I attempt to connect with the VPN Client I see the hit count of this ACL increase so my connection attempt is making it to the ASA however it never connects so something else must be blocking it.
Thank you.
access-list outside line 6 extended permit udp any host 24.249.90.68 eq isakmp (hitcnt=4)
Each time I attempt to connect with the VPN Client I see the hit count of this ACL increase so my connection attempt is making it to the ASA however it never connects so something else must be blocking it.
Thank you.
ASKER
Got it working.
FYI UDP port 4500 is also required.
Now to figure out how to do the same thing for L2L tunnels.
FYI UDP port 4500 is also required.
Now to figure out how to do the same thing for L2L tunnels.
ASKER
So I have the VPN Clients working just fine and able to access servers through the ASA and behind the router that is terminating the VPN connection.
My L2L tunnels build and negotiate but I can't pass any traffic. Any ideas?
My L2L tunnels build and negotiate but I can't pass any traffic. Any ideas?
Can you post a show crypto ipsec sa from the router not passing traffic? Sounds like you need to permit ESP/AH packets through the ASA. These are protocols 50 & 51 (ESP & AH, respectively). If you do a debug crypto ipsec 128, you should see the IPSEC negotiation at a pretty detailed level, enough to see if you are even starting ipsec negotiation. It sounds like you are negotiating isakmp, but if you also wouldn't mind posting a show crypto isakmp sa as well.
ASKER
Turns out all I had to do was enable nat-traversal on each remote ASA and the local ASA. Once I did that all L2L tunnels came right up.
Good deal. I thought ikalmar had already suggested that above. Glad you got it solved.
ASKER
Ah yes, he did. Too bad I missed that or I would have saved myself a lot of time. :(
no crypto map mymap interface outside