Go Premium for a chance to win a PS4. Enter to Win


Remote VPN issue with ASA 5510

Posted on 2011-09-07
Medium Priority
Last Modified: 2012-05-12
Need a quick answer on this:

I have a Cisco ASA 5510 with many IPsec remote access vpn users connected through Cisco remote software. We send out our .pcf file and have them install the software on their PC/laptop, etc. This seems to work flawlessly for everyone except one particular company. They can connect to the ASA but can not see anything beyond that.

Their tech is telling me I need to enable: isakmp nat-traversal 20 for it to work, but I don't understand why I should do this when everyone else is perfectly fine.

In case it matters we also use split-tunnel on the remote VPN connections.

Question by:michaelgoldsmith
  • 3
  • 2
LVL 35

Expert Comment

by:Ernie Beek
ID: 36496237
As per: http://www.experts-exchange.com/Security/Software_Firewalls/Q_21596778.html

'nat-traversal' allows a VPN client that's behind a NAT device (router or firewall performing NAT translation) to successfully connect to a PIX via VPN.  NAT-traversal is off by default, so you have to enable it, as you've seen above.  Without nat-traversal, a VPN client that wanted to connect to your PIX would have to have a public IP directly configured on it, such as: a) using a DSL or cable modem connected to your PC, or b) PC connecting via dialup.
LVL 12

Author Comment

ID: 36496480
Makes sense, however I can connect from one of my own remote locations behind an ASA using the remote VPN connection and access the LAN at the other side.
LVL 35

Expert Comment

by:Ernie Beek
ID: 36496714
Just thinking, there is also a Nat option in the client. Might want to have a look at that.
Second, do they have an asa at the other side?
LVL 12

Author Comment

ID: 36496816
Not sure what the device is on the other side. I can inquire.
LVL 35

Accepted Solution

Ernie Beek earned 2000 total points
ID: 36496890
It could be an option. On the other hand, would it hurt to enable the Nat traversal? Are there specific reasons you don't want to implement that?

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month9 days, 2 hours left to enroll

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question