Join Percona’s Chief Evangelist, Colin Charles as he presents Securing your MySQL®/MariaDB® data on Tuesday, July 11, 2017 at 7:00 am PDT / 10:00 am EDT (UTC-7).
Course Of The Month
8 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How does IPSec establish a connection if Nat-Traversal is disabled in the middle of the chain?
Posted on 2012-04-04
We have a situation where a remote-access VPN is established (Phase 1 & 2), and show crypto isakmp sa says "AM_ACTLIVE". The ASA say zero packets encrypted or decrypted for this VPN.
We think it may be a firewall in the middle that does not allow NAT Traversal.
Is that a fair assumption?
How does the VPN get established if NAT Traversal is not active in the middle of the stream?
Thanks.
We think it may be a firewall in the middle that does not allow NAT Traversal.
Is that a fair assumption?
How does the VPN get established if NAT Traversal is not active in the middle of the stream?
Thanks.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
3
8 Comments
If phase 2 is established, then NAT-T should work.
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.
Tamas
Check out the access-list referenced in the crypto-map, may be the reason why no packages are encrypted.
Tamas
Tamas,
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?
At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
Are you saying that if I have Phase 2 established, then all the intermediate firewalls must have NAT-T ( or Nat0 ) enabled?
At least one other forum says that if IPSec is established, and no data is getting through, it is probably because NAT-T is NOT enabled on the intermediate firewall.
As far as I know, NAT-T is enabled on the two IPSec peers. It encapsulates traffic in UDP, so the intermediate devices have to allow UDP port 4500 only, not specifically allow the NAT-T protocol. If UDP port 4500 is firewalled, then no traffic will pass through.
In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
In cisco terminology, "nat 0" is a different animal, it's nat-exemption. Basically it won't translate the source address of packets going through the vpn tunnel, since you most likely don't want them translated.
If you turn on NAT-T is automatically accepts udp 4500 on all interfaces, no need to craft ACLs, sort of like when you enable ssh on the outside interface from a particular source, you do not also need to add ACL entries. The hole is automatically configured, easier to use.
harbor235 ;}
harbor235 ;}
Allow me to restate the question:
I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.
What is the most likely problem?
Regards,
I have a remote VPN that is established (Phase I & II successful, and AM_ACTIVE), but zero traffic is encrypted or decrypted on the ASA.
What is the most likely problem?
Regards,
The config on the ASA side works well, as a second user from a different remote location (Texas) can log in and pass data. The user in California was able to pass data, up to three weeks ago, when it dropped. The California user has two laptops, both displaying the same indications i.e. IPSec established, but zero encaps/unencaps. The California user is behind multiple firewalls to get to the internet. Sorry I can't provide the conifig, and it looks like I'm troubleshooting someone else's problem. Could the problem be that one of his intermediate FWs is disabled for NAT-Traversal? Would that give you IPSec, but no data?
Featured Post
Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
WARNING:
If you follow the instructions here, you will wipe out your VTP and VLAN configurations. Make sure you have backed up your switch!!!
I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others. This conference is aimed mainly at government agencies. So it addresses the various compli…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg).
If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month8 days, left to enroll
729 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.