Remote VPN issue with ASA 5510
Need a quick answer on this:
I have a Cisco ASA 5510 with many IPsec remote access vpn users connected through Cisco remote software. We send out our .pcf file and have them install the software on their PC/laptop, etc. This seems to work flawlessly for everyone except one particular company. They can connect to the ASA but can not see anything beyond that.
Their tech is telling me I need to enable: isakmp nat-traversal 20 for it to work, but I don't understand why I should do this when everyone else is perfectly fine.
In case it matters we also use split-tunnel on the remote VPN connections.
HELP!?
I have a Cisco ASA 5510 with many IPsec remote access vpn users connected through Cisco remote software. We send out our .pcf file and have them install the software on their PC/laptop, etc. This seems to work flawlessly for everyone except one particular company. They can connect to the ASA but can not see anything beyond that.
Their tech is telling me I need to enable: isakmp nat-traversal 20 for it to work, but I don't understand why I should do this when everyone else is perfectly fine.
In case it matters we also use split-tunnel on the remote VPN connections.
HELP!?
ASKER
Makes sense, however I can connect from one of my own remote locations behind an ASA using the remote VPN connection and access the LAN at the other side.
Just thinking, there is also a Nat option in the client. Might want to have a look at that.
Second, do they have an asa at the other side?
Second, do they have an asa at the other side?
ASKER
Not sure what the device is on the other side. I can inquire.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
'nat-traversal' allows a VPN client that's behind a NAT device (router or firewall performing NAT translation) to successfully connect to a PIX via VPN. NAT-traversal is off by default, so you have to enable it, as you've seen above. Without nat-traversal, a VPN client that wanted to connect to your PIX would have to have a public IP directly configured on it, such as: a) using a DSL or cable modem connected to your PC, or b) PC connecting via dialup.