Cisco VPN Client Behind ASA 5505

Solution 1:

It's very possible that it's a NAT issue. You need to configure NAT traversal on the 5510. Do that like this:

crypto isakmp nat-traversal 30

If that doesn't work, can you provide us show runs on both devices?

Solution 2:

I am assuming your workstation is behind the ASA5505's inside interface on the 192.168.1.0/24 network. Your workstation, the IKE/IPSec initiator, is connecting to a far-off ASA5510, the IKE/IPSec responder, on your ASA5505's outside Interface (the Internet). Your workstation is dynamic PAT'd when it's traffic crosses inside -> outside.

Without seeing the remote ASA5510 config and additional debug output it is difficult to determine the problem. Instead, I will describe the three possible ways to get IKE/IPSec working across NAT/PAT boundaries. Each one of the below is a complete solution.

ASA configuration entries below are valid for ASA 8.4.

1. Enable IKE NAT Traversal (IKE NAT-T) on the responder (ASA5510) and configure the Cisco VPN client to use IPSec over UDP/NAT-T. IKE NAT-T is not to be confused with general NAT traversal like STUN, etc.. IKE NAT-T is defined in RFC3947 and is supported in many initiators and responders -- both software and hardware. IKE NAT-T has also been called IPSec over UDP and uses UDP/500 and UDP/4500 (usually) on the responder. Ensure the initiator can connect to the responder on UDP/500 and UDP/4500.

crypto isakmp nat-traversal 30

2. Enable IPSec over TCP on the responder (ASA5510) and configure the Cisco VPN client to use IPSec over TCP. With IPSec over TCP the IKE and IPSec connectivity and sessions solely use the TCP port specified. TCP/10000 is default. Make sure the initiator can connect to the responder on the chosen TCP port.

crypto ikev1 ipsec-over-tcp 10000

3. Configure static NAT for the workstation/initiator -- not dynamic PAT or static PAT -- and enable inspect ipsec-pass-thru ALG/inspection on the initiator side (your) ASA. Per the ASA 8.4 (and under) documentation the ASA's ipsec-pass-thru ALG is only supported on static NAT (traditional NAT) and no-NAT traffic, not on PAT'd traffic.

object network hst-192.168.1.100
 description WS01
 host 192.168.1.100
 nat (inside,outside) static 1.2.3.4

class-map default_inspection_class
 match default-inspection-traffic    

policy-map example_policy
 class default_inspection_class
  inspect ipsec-pass-thru

To my knowledge those are the only known ways of getting IPSec working through NAT -- be it PAT or NAT. Look at your situation with your ASA, the remote ASA, and take your pick.

-Weaver