?
Solved

Cisco ASA 5505 VPN

Posted on 2012-09-07
14
Medium Priority
?
1,686 Views
Last Modified: 2012-09-10
I configured a site-to-site VPN tunnel between Cisco PIX 515E and Cisco ASA 5505, the vpn tunnel is being established ONLY if the connection start from the ASA 5505 side, and in this case I can ping either from the ASA 5505 to PIX and vice-versa, instead, if I try to establish the tunnel from the PIX 515E site it won't work until I issue a ping from ASA side to PIX side for example.
Note that ASA 5505 it does not NAT, I added also on the router located after ASA a static nat to the ASA outside interface.

The design is:
ASA 5505 --> 1841 Router ----- INTERNET ----- 1801 Router <-- PIX 515E.

The sh crypto isakmp sa on PIX side is:
1   IKE Peer: XXXXXXXXXXX
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
The sh crypto isakmp sa on ASA side is:
1   IKE Peer: XXXXXXXXXXX
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Any help will be appreciated.
0
Comment
Question by:arefone
  • 7
  • 7
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38375801
Could you show us some sanitized configs?
0
 
LVL 1

Author Comment

by:arefone
ID: 38376023
I solved the problem by setting "crypto isakmp nat-traversal 30".

But I still don't understand why and how the vpn tunnel from asa --> pix "before setting that command" was able to establish the connection?!

What that command does?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38376080
A 'little' explanation.

ESP is a layer 4 transport protocol, just like TCP, UDP, EIGRP, OSPF, etc.  When TCP or UDP packets go through a NAT translation the router can keep track of not only the source and destination address, but the source and destination ports.  These four values - source address, source port, destination address, and destination port - make up the "flow".  The values in the flow are what allow the router to not only perform the NAT translation, but perform the Port Address Translation (PAT) or "overload".  This means that as long as one of these four values is unique in the flow, the router can translate.
 
 
For example you may have two inside hosts that are browsing to the same public web server, while the router in the middle is translating the source address of both inside local hosts to the same inside global address.  This is okay because at least one of the values in the flow is unique; even though the (new) source address, destination address, and destination port is the same, the source port is different because it's a random value.
 
 
With ESP, since it doesn't have port values (just like EIGRP or OSPF), it has problems going through Port Address Translations, since here are less unique values that can identify the flow.  For example suppose that you have two remote workers staying at the same hotel, and they're both trying to VPN into the main office router.  If the border router is doing a NAT overload to its outside address, the NAT process has no way to distinguish one VPN session from another.  This is because they would both have the same source address, destination address, and layer 4 protocol (ESP).  Even though in the payload of the packets the sessions are different, e.g. have different IPsec SPIs, the NAT process doesn’t know this.  This is why sometimes when you’re on a public WIFI network, like at a hotel, it’ll ask you if you need a public address for VPN purposes.  This allows them to do a 1:1 ESP NAT translation for your particular host.
 
 
Another option is to do NAT Traversal/Transparency (NAT-T).  In this case the ESP traffic is tunneled inside of UDP (typically over UDP port 4500), which then allows the NAT process of the border router to uniquely identify the flow based on the source address, source UDP port, destination address, and destination UDP port, even if two inside hosts have VPN connects to the same outside server.  This is effectively what the crypto isakmp nat-traversal command does.  It allows the ASA so offer NAT-T to the remote access VPN clients that are trying to connect to it.  Without this the remote clients would need public addresses or a 1:1 ESP translation on their border routers.

Source: https://learningnetwork.cisco.com/thread/36740

So basically you're telling the firewall that the remote party is behind a NAT device, so it will tunnel the ipsec through the NAT to the device hence making it work.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:arefone
ID: 38377023
Ok, and how it could be explained that when I start the tunnel from ASA side it goes without any problem, I mean the connection is being established?

What do you mean in device in your text? ".......so it will tunnel the ipsec through the NAT to the device hence making it work.", ASA or PIX?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 38379907
when I start the tunnel from ASA side it goes without any problem
The router behind the ASA is able to pass through ESP (IPsec). So the ASA can connect through that NATting router to the public ip of the PIX on the other side. The PIX has the public IP on it's outside interface.

The other way round (without NAT-T) the PIX would try to connect to the public address of its peer, but this time that isn't the ASA but the router hence it fails. When using NAT-T, the PIX 'knows' that the ASA is behind a NATting device that holds the public IP and it cant terminate the IPSec tunnel directly on that public. So it will tunnel the ESP traffic through UDP (port 4500). That way the tunnel can get through the NATting device and terminate on the ASA, even though it hasn't got a public IP.

Am I making any sense here?
0
 
LVL 1

Author Closing Comment

by:arefone
ID: 38379976
Very good explaination.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38379986
Glad you liked it ;)

Thx 4 the points.
0
 
LVL 1

Author Comment

by:arefone
ID: 38379995
:)

If do you remember any good resources where I can go to study in depth these kind of tricks plz let me know.

Thanks again
0
 
LVL 1

Author Comment

by:arefone
ID: 38380027
Emiebeek, I need another explaination, I checked the config on the Pix, even on Pix the Nat-T is set, do I need it there? and why it set if the Pix is with a public ip on its outside interface?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38382733
Good question and I'm missing that in my explanation (that was mainly from memory).
NAT-T needs to be enabled at both sides.

So let me rephrase:

When using NAT-T, the PIX 'knows' that the ASA is behind a NATting device that holds the public IP and it cant terminate the IPSec tunnel directly on that public. So it will tunnel the ESP traffic through UDP (port 4500). That way the tunnel can get through the NATting device and terminate on the ASA, even though it hasn't got a public IP. The ASA (when NAT-T is enabled) 'knows' it can expect incoming requests 'the NAT-T way' so it wil listen for that, accept it and negotiate the VPN tunnel that way.
0
 
LVL 1

Author Comment

by:arefone
ID: 38382746
When using NAT-T, the PIX 'knows' .......
Do you mean that when NAT-T is enabled on PIX it knows that ASA in behind a NATting device? or on ASA?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38382766
Let me re- rephrase that.

With NAT-T enabled the PIX or ASA will also try this option in the negotiations when trying to set up a VPN.
The other way around, the PIX or ASA will also accept this option when receiving a request for setting up a VPN.
0
 
LVL 1

Author Comment

by:arefone
ID: 38382795
So this option "NAT-T" it has nothing to do with if the device "PIX or ASA" has a public ip on its outside interface or not, isn't?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38383005
Depends on how you look at it. If one of the devices doesn't have a public ip on it's outside interface (or both) that means it's behind a NATting device and you will need the NAT-T option to make the VPN work. So there is a relation between the two. Of course this does not mean that if a device doesn't have a public IP on it's outside interface you always need NAT-T.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question