Remote Networking

Reply
Occasional Contributor I

RAP and Cisco ASA5510 config

Hello all,

I have been trying to configure RAP with our AP 65s and have only been successful with internal testing. As soon modify our remote policy to point to our public ip address it fails. We see the udp 4500 hit on our firewall (asa5510) but does not complete the tunnel. We are concern that our asa config is obviously not configured correctly to pass nat-t udp 4500 traffic to the ip of our local controller correctly.

Does any one have any notes or config info pertaining to passing IPSEC NAT-T traffic thru our asa5510?

Thanks in advance!
Guru Elite

ASA Policy for Remote AP

Stargaten,

You need:

- Static Nat to map your outside or public address to the "inside" address of the controller
- An access list permitting any source UDP 4500 traffic to that outside address
- An access-group statement applying that ACL to the outside interface.

So if your public address you are using is 128.33.164.35, your private address is 172.16.1.1, you would do something like this:

static (inside,outside) 128.33.164.35 172.16.1.1 netmask 255.255.255.255
access-list outside-to-in extended permit udp any eq 4500 host 128.33.164.35 eq 4500
access-group outside-to-in in interface outside


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: RAP and Cisco ASA5510 config

We are using PAT by the way.

Output from cmd line when trying to use static as in your post:
asa5510# conf t

asa5510(config)# static (inside,outside) n$

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

Thanks
Guru Elite

Pat

Stargaten,

I'm going to have to refer you to Cisco support because:

- This is a Cisco configuration Issue
- You would get more milage discussing private details of your ASA with Cisco, as opposed to revealing them on this forum.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: RAP and Cisco ASA5510 config

Thanks again
Aruba Employee

Re: RAP and Cisco ASA5510 config

This Cisco configuration example might help:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee

Re: RAP and Cisco ASA5510 config

Stargaten - Do you have another public IP address to use besides the outside interface of your ASA? If so, use that instead of your outside interface's ip address. Colin's config is good. Remember, the "inside" interface should be replaced with whichever ASA interface the controller resides on. If it is your inside interface, then it's good to go.

Just one thing to watch, the NAT-T RFC states that NAT-T devices don't need to use udp 4500 as the source port. Some do, some don't, but if Colin posted the source and destination udp ports as 4500 then I would imagine the RAPs do use 4500 for both. Just an FYI....
Guru Elite

Pat

If Stargaten is using PAT, that means he ONLY has one ip address that does all the NATting. No wonder the "static" command wouldn't go through.... Cisco TAC to the rescue...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: RAP and Cisco ASA5510 config

But it doesn't mean that's the only outside address he has. The config is good, he just needs another address on the outside.
New Contributor

Re: RAP and Cisco ASA5510 config

You may try upgrading IOS on the ASA. That's how we got it to work.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: