Solved

How does IPSec establish a connection if Nat-Traversal is disabled in the middle of the chain?

Posted on 2012-04-04
8
691 Views
Last Modified: 2012-08-14
We have a situation where a remote-access VPN is established (Phase 1 & 2), and show crypto isakmp sa says "AM_ACTLIVE".   The ASA say zero packets encrypted or decrypted for this VPN.
We think it may be a firewall in the middle that does not allow NAT Traversal.

Is that a fair assumption?

How does the VPN get established if NAT Traversal is not active in the middle of the stream?

Thanks.
0
Comment
Question by:jimmycher
  • 3
  • 3
8 Comments
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
If phase 2 is established, then NAT-T should work.
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.

Tamas
0
 

Author Comment

by:jimmycher
Comment Utility
Tamas,
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?  

 At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
0
 
LVL 17

Accepted Solution

by:
TimotiSt earned 125 total points
Comment Utility
As far as I know, NAT-T is enabled on the two IPSec peers. It encapsulates traffic in UDP, so the intermediate devices have to allow UDP port 4500 only, not specifically allow the NAT-T protocol. If UDP port 4500 is firewalled, then no traffic will pass through.

In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 125 total points
Comment Utility
If you turn on NAT-T is automatically accepts udp 4500 on all interfaces, no need to craft ACLs, sort of like when you enable ssh on the outside interface from a particular source, you do not also need to add ACL entries. The hole is automatically configured, easier to use.


harbor235 ;}
0
 

Author Comment

by:jimmycher
Comment Utility
Allow me to restate the question:

I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.

What is the most likely problem?

Regards,
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Can you share a sanitized config from the ASA? At least the crypto parts.
0
 

Author Comment

by:jimmycher
Comment Utility
The config on the ASA side works well, as a second user from a different remote location (Texas) can log in and pass data.   The user in California was able to pass data, up to three weeks ago, when it dropped.  The California user has two laptops, both displaying the same indications i.e. IPSec established, but zero encaps/unencaps.   The California user is behind multiple firewalls to get to the internet.   Sorry I can't provide the conifig, and it looks like I'm troubleshooting someone else's problem.   Could the problem be that one of his intermediate FWs is disabled for NAT-Traversal?   Would that give you IPSec, but no data?
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now