RE: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

Hi all,

Make sure that nat traversal is enabled and this will work on the udp4500 port

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Farrukh Haroon
Sent: 22 January 2010 06:35 AM
To: Kim Teu ??? Teu Kim Loon
Cc: security_at_groupstudy.com; ccielab_at_groupstudy.com
Subject: Re: NAT-T, IPSec over UDP 10000 & TCP 10000 - remote access VPN

From the Configuration guide:

"With the exception of the home zone on the Cisco ASA 5505, the security
appliance can simultaneously support standard IPsec, IPsec over TCP, NAT-T,
and IPsec over UDP, depending on the client with which it is exchanging
data. When both NAT-T and IPsec over UDP are enabled, NAT-T takes
precedence. IPsec over TCP, if enabled, takes precedence over all other
connection methods. "

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ike.html#wp1120836

Regards

Farrukh

On Fri, Jan 22, 2010 at 12:22 AM, Kim Teu ??? Teu Kim Loon <
kim.teu_at_gmail.com> wrote:

> Hello Expert,
> When NAT-T, IPSec over UDP 10000 & TCP 10000 is enabled, what's the order
> of
> operation? Is NAT-T always the priority?
>
> I have a ASA VPN head end with Remote Access VPN configured and NAT-T
> enabled.
>
> PC User with Cisco VPN client at a remote site behind FWSM is having
> problem
> connecting using UDP 4500. The connection is going over IP-Proto 50. It's
> only working when I enabled IPSec over UDP 10000 or allow IP-Proto 50
> inbound.
>
> The client site firewall has outbound permit any any.
>
> Any idea why?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 22 2010 - 12:21:13 ART