We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
9 days, 13 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How does IPSec establish a connection if Nat-Traversal is disabled in the middle of the chain?
Posted on 2012-04-04
We have a situation where a remote-access VPN is established (Phase 1 & 2), and show crypto isakmp sa says "AM_ACTLIVE". The ASA say zero packets encrypted or decrypted for this VPN.
We think it may be a firewall in the middle that does not allow NAT Traversal.
Is that a fair assumption?
How does the VPN get established if NAT Traversal is not active in the middle of the stream?
Thanks.
We think it may be a firewall in the middle that does not allow NAT Traversal.
Is that a fair assumption?
How does the VPN get established if NAT Traversal is not active in the middle of the stream?
Thanks.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
3
8 Comments
Active 5 days ago
If phase 2 is established, then NAT-T should work.
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.
Tamas
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.
Tamas
Tamas,
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?
At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?
At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
Active 5 days ago
As far as I know, NAT-T is enabled on the two IPSec peers. It encapsulates traffic in UDP, so the intermediate devices have to allow UDP port 4500 only, not specifically allow the NAT-T protocol. If UDP port 4500 is firewalled, then no traffic will pass through.
In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
If you turn on NAT-T is automatically accepts udp 4500 on all interfaces, no need to craft ACLs, sort of like when you enable ssh on the outside interface from a particular source, you do not also need to add ACL entries. The hole is automatically configured, easier to use.
harbor235 ;}
harbor235 ;}
Allow me to restate the question:
I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.
What is the most likely problem?
Regards,
I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.
What is the most likely problem?
Regards,
The config on the ASA side works well, as a second user from a different remote location (Texas) can log in and pass data. The user in California was able to pass data, up to three weeks ago, when it dropped. The California user has two laptops, both displaying the same indications i.e. IPSec established, but zero encaps/unencaps. The California user is behind multiple firewalls to get to the internet. Sorry I can't provide the conifig, and it looks like I'm troubleshooting someone else's problem. Could the problem be that one of his intermediate FWs is disabled for NAT-Traversal? Would that give you IPSec, but no data?
Featured Post
![[Live Webinar] The Cloud Skills Gap](https://filedb.experts-exchange.com/files/public/2017/5/29/3249c5dc-214e-4f8f-afab-ef354630e19f.png)
As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.
Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail. The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg).
If you're interested in additional methods for monitoring bandwidt…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 13 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.