WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls
How does IPSec establish a connection if Nat-Traversal is disabled in the middle of the chain?
We have a situation where a remote-access VPN is established (Phase 1 & 2), and show crypto isakmp sa says "AM_ACTLIVE". The ASA say zero packets encrypted or decrypted for this VPN.
We think it may be a firewall in the middle that does not allow NAT Traversal.
Is that a fair assumption?
How does the VPN get established if NAT Traversal is not active in the middle of the stream?
Thanks.
We think it may be a firewall in the middle that does not allow NAT Traversal.
Is that a fair assumption?
How does the VPN get established if NAT Traversal is not active in the middle of the stream?
Thanks.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Tamas,
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?
At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?
At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
As far as I know, NAT-T is enabled on the two IPSec peers. It encapsulates traffic in UDP, so the intermediate devices have to allow UDP port 4500 only, not specifically allow the NAT-T protocol. If UDP port 4500 is firewalled, then no traffic will pass through.
In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
If you turn on NAT-T is automatically accepts udp 4500 on all interfaces, no need to craft ACLs, sort of like when you enable ssh on the outside interface from a particular source, you do not also need to add ACL entries. The hole is automatically configured, easier to use.
harbor235 ;}
harbor235 ;}
Allow me to restate the question:
I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.
What is the most likely problem?
Regards,
I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.
What is the most likely problem?
Regards,
The config on the ASA side works well, as a second user from a different remote location (Texas) can log in and pass data. The user in California was able to pass data, up to three weeks ago, when it dropped. The California user has two laptops, both displaying the same indications i.e. IPSec established, but zero encaps/unencaps. The California user is behind multiple firewalls to get to the internet. Sorry I can't provide the conifig, and it looks like I'm troubleshooting someone else's problem. Could the problem be that one of his intermediate FWs is disabled for NAT-Traversal? Would that give you IPSec, but no data?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.
Tamas