Cisco VPN Client and PAN NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cisco VPN Client and PAN NAT

Not applicable

This is an obscure problem.

I've got visitors from another company on our network trying to VPN back to their office with Cisco's VPN client to a Cisco ASA appliance.  They are unable to connect, randomly.  Most of the time, at least one can connect, but never all 5 of them.

All my users (including these visitors) are NAT'd to the same IP address.  So all these clients appear to their VPN concentrator as the same IP.

I'm wondering if this might be a NAT issues between Palo Alto and Cisco.  Might be way off the mark here but any insight would be helpful.

9 REPLIES 9

L6 Presenter

You are using dynamic ip/port NAT as I think so this should not effect them.

random issues are hard to solve.can you monitor their traffic when they want to connect ?

So that you can try an app override rule for them to look if something change ?

I've taken a packet capture and nothing seems glaringly bad, other than it doesn't work (no RST, no timeouts, just stops).  Not sure I follow where you're headed with the app override rule.

Capture.PNG

That is because to see when disabling any inspection and app check on Paloalto will make any affect to the issue or not.

I'm with panos on the app override on this one... it's something to at least try. Build an App override for IPSec/IKE traffic (should be UDP 500 and UDP 4500 I believe) and stick it in a rule that allows traffic to the remote ASA, and see if the issues magically go away. It will at least help you narrow down the problem, and prove whether or not the App-ID engine has something to do with the problem you're experiencing.

As an aside, I'm surprised they're not using AnyConnect SSL VPN.

Thanks guys, I'll give that a shot.

Any news here?

I got the same problem.

Not applicable

I'm afraid not.  This isn't something that comes up a lot for us, just once in a while.  But I did try the override rule and that didn't help.

L4 Transporter

Recommended solution would be to enable NAT-T on clients and ASA.

configure IPSec NAT Transparency on the ASA, VPN clients.

On the ASA,issue the following command

PIX/ASA 7.1 and earlier

pix(config)#isakmp nat-traversal 20 

PIX/ASA 7.2(1) and later

securityappliance(config)#crypto isakmp nat-traversal 20

In Cisco VPN Client, choose to Connection Entries and click Modify. It opens a new window where you have to choose the Transporttab. Under this tab, choose Enable Transparent Tunneling and the IPSec over UDP ( NAT / PAT ) radio button. Then click Save and test the connection.

The other option would be to assign a Public NAT pool(or 1-to-1 static NATs) for those users so they would receive unique public IP's.

The settings have been implemented on the ASA and the clients as recommended and this did not solve the problem.

We're still experiencing the issue and 1-1 NAT is not an option.  I've got a case open with PA.  If we ever get a solution I'll post it here.

  • 5975 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!