Solved

How does IPSec establish a connection if Nat-Traversal is disabled in the middle of the chain?

Posted on 2012-04-04
8
692 Views
Last Modified: 2012-08-14
We have a situation where a remote-access VPN is established (Phase 1 & 2), and show crypto isakmp sa says "AM_ACTLIVE".   The ASA say zero packets encrypted or decrypted for this VPN.
We think it may be a firewall in the middle that does not allow NAT Traversal.

Is that a fair assumption?

How does the VPN get established if NAT Traversal is not active in the middle of the stream?

Thanks.
0
Comment
Question by:jimmycher
  • 3
  • 3
8 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37810294
If phase 2 is established, then NAT-T should work.
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.

Tamas
0
 

Author Comment

by:jimmycher
ID: 37810710
Tamas,
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?  

 At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
0
 
LVL 17

Accepted Solution

by:
TimotiSt earned 125 total points
ID: 37810782
As far as I know, NAT-T is enabled on the two IPSec peers. It encapsulates traffic in UDP, so the intermediate devices have to allow UDP port 4500 only, not specifically allow the NAT-T protocol. If UDP port 4500 is firewalled, then no traffic will pass through.

In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 125 total points
ID: 37812114
If you turn on NAT-T is automatically accepts udp 4500 on all interfaces, no need to craft ACLs, sort of like when you enable ssh on the outside interface from a particular source, you do not also need to add ACL entries. The hole is automatically configured, easier to use.


harbor235 ;}
0
 

Author Comment

by:jimmycher
ID: 37813848
Allow me to restate the question:

I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.

What is the most likely problem?

Regards,
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37814041
Can you share a sanitized config from the ASA? At least the crypto parts.
0
 

Author Comment

by:jimmycher
ID: 37816002
The config on the ASA side works well, as a second user from a different remote location (Texas) can log in and pass data.   The user in California was able to pass data, up to three weeks ago, when it dropped.  The California user has two laptops, both displaying the same indications i.e. IPSec established, but zero encaps/unencaps.   The California user is behind multiple firewalls to get to the internet.   Sorry I can't provide the conifig, and it looks like I'm troubleshooting someone else's problem.   Could the problem be that one of his intermediate FWs is disabled for NAT-Traversal?   Would that give you IPSec, but no data?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now