Problem

If I had a pound for every time I've seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the "nat 0" (that's the command that says "DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN's you are currently running.

Option 1 Connect to the ASA Via Command Line.

Then go to enable mode > Configure Terminal mode > and issue a "crypto isakmp nat-traversal 20" command >Then save the change with a "write mem" command.

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA# configure terminal
PetesASA(config)# crypto isakmp nat-traversal 20
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

Option 2 Connect to the ASA Via ASDM - Version used here is 6.2.(5)

Then navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick "Enable IPSec over NAT-T" option > Set the "NAT Keepalive" to 20 seconds > Apply > File > Save running configuration to flash.

I've done that and its still not working?

On the firewall issue a "show run nat 0" command > take note of the access-list name.

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0

In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).

Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.

PetesASA#
PetesASA# show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
PetesASA#

Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.

If you don't know what addresses they are supposed to be using, then issue a "show run ip local pool" command.

PetesASA#
PetesASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
PetesASA#

If this post helped you, PLEASE take the time to +1 it.

Please be aware, all information is provided free, but it does cost me to have this site hosted, if I've helped you in any way, or saved you some time/cost please take time to make a donation.

If you have anything to add to an article, or have an article you would like us to publish please feel free to contact PeteNetLive. (Please be aware I get a LOT of email, I cannot assist and fix everyone's problems, please do not be offended if you do not get a response).