• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 706
  • Last Modified:

How does IPSec establish a connection if Nat-Traversal is disabled in the middle of the chain?

We have a situation where a remote-access VPN is established (Phase 1 & 2), and show crypto isakmp sa says "AM_ACTLIVE".   The ASA say zero packets encrypted or decrypted for this VPN.
We think it may be a firewall in the middle that does not allow NAT Traversal.

Is that a fair assumption?

How does the VPN get established if NAT Traversal is not active in the middle of the stream?

Thanks.
0
jimmycher
Asked:
jimmycher
  • 3
  • 3
2 Solutions
 
TimotiStDatacenter TechnicianCommented:
If phase 2 is established, then NAT-T should work.
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.

Tamas
0
 
jimmycherAuthor Commented:
Tamas,
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?  

 At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
0
 
TimotiStDatacenter TechnicianCommented:
As far as I know, NAT-T is enabled on the two IPSec peers. It encapsulates traffic in UDP, so the intermediate devices have to allow UDP port 4500 only, not specifically allow the NAT-T protocol. If UDP port 4500 is firewalled, then no traffic will pass through.

In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
harbor235Commented:
If you turn on NAT-T is automatically accepts udp 4500 on all interfaces, no need to craft ACLs, sort of like when you enable ssh on the outside interface from a particular source, you do not also need to add ACL entries. The hole is automatically configured, easier to use.


harbor235 ;}
0
 
jimmycherAuthor Commented:
Allow me to restate the question:

I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.

What is the most likely problem?

Regards,
0
 
TimotiStDatacenter TechnicianCommented:
Can you share a sanitized config from the ASA? At least the crypto parts.
0
 
jimmycherAuthor Commented:
The config on the ASA side works well, as a second user from a different remote location (Texas) can log in and pass data.   The user in California was able to pass data, up to three weeks ago, when it dropped.  The California user has two laptops, both displaying the same indications i.e. IPSec established, but zero encaps/unencaps.   The California user is behind multiple firewalls to get to the internet.   Sorry I can't provide the conifig, and it looks like I'm troubleshooting someone else's problem.   Could the problem be that one of his intermediate FWs is disabled for NAT-Traversal?   Would that give you IPSec, but no data?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now