Cisco ASA VPN Passthrough

ahmedjoo
ahmedjoo used Ask the Experts™
on
I have a router behind my ASA firewall that terminates VPN client connections.  I want to allow the VPN connections to passthrough the ASA to the router at 172.16.1.2 on the inside interface of the ASA.  I started by entering:

static (inside,outside) tcp interface 50 172.16.1.2 50
static (inside,outside) tcp interface 51 172.16.1.2 51
static (inside,outside) udp interface 500 172.16.1.2 500, however this one errors:

ERROR: unable to reserve port 500 for static PAT
ERROR: unable to download policy

What does this mean and how do I fix it?  Is this even the right way to go about allowing the VPN traffic to pass through to the router and authenticate?

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
try adding sysopt permit-ipsec to the ASA. Also, you need to allow ESP and AH traffic through. If you have multiple public IP addresses, it may be easier to assign one of the unused ones instead of using PAT and specifing each port.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
HI try to release isakmp:
 no crypto map mymap interface outside
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
sorry you not able to pat UDP 500, becouse you use it for VPN!

But, If you router makes the ipsec connection all times, you possible to use it behind the firewall, only the other side must enable NAT-T, and your router build the SITE-TO-SITE connection!
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks for the replies but perhaps I wasn't clear on what I am trying to accomplish.  

I have an ASA with an outside IP of 192.168.0.67.
I would like to map 192.168.0.68 on the ASA to the router on the inside of the ASA at 172.16.1.2.
The router terminates VPN clients that will be using the Cisco VPN Client.
I want to point the client software to 192.168.0.68 and have the ASA pass the traffic through to the router to terminate and authenticate the VPN connection.
The clients should then be able to access the network on the inside of the router, 10.2.2.0/24

FYI, these aren't my real IPs obviously but instead are used for this example.

I hope this is more clear.  Thanks again.
Head of IT Security Division
Top Expert 2010
Commented:
o,
clearly,

static (inside,outside) tcp 192.168.0.68 50 172.16.1.2 50
static (inside,outside) tcp 192.168.0.68 51 172.16.1.2 51
static (inside,outside) udp 192.168.0.68 500 172.16.1.2 500

access-list outside_access_in extended permit tcp any 192.168.0.68 eq 50
access-list outside_access_in extended permit tcp any 192.168.0.68 eq 51
access-list outside_access_in extended permit udp any 192.168.0.68 eq 500

access-group outside_access_in in interface outside

Author

Commented:
Please see my first post, ikalmar.  Your suggestion is what I tried originally but:
static (inside,outside) udp 192.168.0.68 500 172.16.1.2 500
causes
ERROR: unable to reserve port 500 for static PAT
ERROR: unable to download policy

You also posted earlier that:
ikalmar:
sorry you not able to pat UDP 500, becouse you use it for VPN!

Is there a way to override this and map UDP 500 anyway?

Author

Commented:
Never mind those commands were accepted however even though I see this on the ASA:

access-list outside line 6 extended permit udp any host 24.249.90.68 eq isakmp (hitcnt=4)

Each time I attempt to connect with the VPN Client I see the hit count of this ACL increase so my connection attempt is making it to the ASA however it never connects so something else must be blocking it.

Thank you.

Author

Commented:
Got it working.  

FYI UDP port 4500 is also required.

Now to figure out how to do the same thing for L2L tunnels.

Author

Commented:
So I have the VPN Clients working just fine and able to access servers through the ASA and behind the router that is terminating the VPN connection.

My L2L tunnels build and negotiate but I can't pass any traffic.  Any ideas?
Can you post  a show crypto ipsec sa from the router not passing traffic? Sounds like you need to permit ESP/AH packets through the ASA.  These are protocols 50 & 51 (ESP & AH, respectively).  If you do a debug crypto ipsec 128, you should see the IPSEC negotiation at a pretty detailed level, enough to see if you are even starting ipsec negotiation.  It sounds like you are negotiating isakmp, but if you also wouldn't mind posting a show crypto isakmp sa as well.

Author

Commented:
Turns out all I had to do was enable nat-traversal on each remote ASA and the local ASA.  Once I did that all L2L tunnels came right up.
Good deal.  I thought ikalmar had already suggested that above.  Glad you got it solved.

Author

Commented:
Ah yes, he did.  Too bad I missed that or I would have saved myself a lot of time.  :(

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial