[c-nsp] ASA 7.2 Remote access VPN will not work if client is usingNAT to access internet

Zahid Hassan zhassan at gmx.net
Wed Feb 14 01:51:37 EST 2007


Dave,


Can't see NAT-T enabled in your config.
Its certainly worth trying wit NAT-T enabled.

Below is the command to enable NAT-T in the global mode:

crypto isakmp nat-traversal 20


Regards,


Zahid



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Dave Lim
Sent: Monday, February 12, 2007 3:46 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA 7.2 Remote access VPN will not work if client is
usingNAT to access internet


Hi group,

I have recently configured a remote access VPN on a customer ASA7.2. I have
tested the RA IPSEC vpn on using an IP address that is in the same segment
as the outside interface of the ASA and it works.

But the funny thing right now is if I am using a client that is using NAT to
access the network, I have problem connecting. It cant even contact the
security gateway and go pass the phrase 1 authentication of the tunnel group
and pre-sharekey. There is nothing on the VPN client log.

Anyone have any idea? Here's the config that's relevant to the remote access
IPSEC VPN.

access-list inside_nat0_outbound extended permit ip 10.203.1.0
255.255.255.010.
203.8.0 255.255.255.0

ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

group-policy ntnvpn internal
group-policy ntnvpn attributes
 dns-server value 165.21.83.88 165.21.100.88
 vpn-tunnel-protocol IPSec
 default-domain value x

username hw-support password x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group ntnvpn type ipsec-ra
tunnel-group ntnvpn general-attributes
 address-pool vpnpool
 default-group-policy ntnvpn
tunnel-group ntnvpn ipsec-attributes
 pre-shared-key *
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list