I have configured a Remote Access VPN on my ASA5510 running 8.4 and enabled it on the outside interface.
For some reason if an inside host uses a VPN client to connect through the firewall they end up taking port udp/500 (udp/isakmp) or tcpudp/4500 (IPSec NAT-T).
Inside hosts use PAT to translate to the outside, but I would have thought the ASA would never provide PAT translations that override its own ports (like 500 and 4500).
I am seeing the packets drop during negotiation and authentication. If I disconnect the VPN client on the inside host the remote access clients can connect again.
Here is some of the config (scrubbed for obvious reasons):
access-list vpnclient_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
ip local pool vpnclient-pool 10.0.254.5-10.0.254.249 mask 255.255.255.0
group-policy remote_access internal
group-policy vpnclient attributes
dns-server value 10.0.0.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
default-domain value example.local
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnclient-pool
authentication-server-group RADIUS
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
ikev1 pre-shared-key ***********
tunnel-group vpnclient ppp-attributes
no authentication chap
no authentication ms-chap-v1
How can I prevent inside hosts from taking ISAKMP and IPSec NAT-T ports on 8.4 ASA5510?
Do you have
crypto isakmp nat-traversal 20enabled on the destination and source firewalls? This is a common issue, and bits of your story are consistent. There may be something else off in the config, though. Can you post the rest?A combination of IPSec Pass-through and a NAT hack resolves the issue with ports 500 and 4500 being 'stolen' by inside hosts for me: