cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
474
Views
0
Helpful
4
Replies

Remote VPN access

robschellrh
Level 1
Level 1

Hi,

i have a asa5520 with version 7.2(2)18

I am trying to set up a VPN connection with a DMZ interface on the asa , but i get the messages %PIX-7-710005.When i configure the asa to use the "outside" interface as the tunnel termination interface then it works.

Any syggestions , Thanks

4 Replies 4

oabduo983
Level 1
Level 1

Are you terminating your connection on the DMZ interface? are you trying to reach the inside network? Can you post your configuration to see what's happening?

Thanks

Hi Osama Abduo,

When i configure "crypto map IO-MAP interface" and "crypto isakmp enable" to "asa03-01-outside" interface it works.

But when i enable isakmp on the "asa03-01-vpn" interface i cannot connect and get the

%ASA-7-710005 message.

Thanks

Hi Rob

I was going through your configuration, and I was doubting some routing issues, but I found the reverse-route option being enabled, Have you tried pointing a default gateway on the asa03-01-vpn interface? I was looking more into the error message which you got on Cisco site and I got the following explanation:

____________________

710005

Error Message %PIX|ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

Recommended Action In networks that heavily utilize broadcasting services such as DHCP, RIP or NetBios, the frequency of this message can be high. If this message appears in excessive number, it may indicate an attack.

___________________

Based on this, and the fact that you are using 1 physical interface (with sub-interfaces below it) could you please try and use ipsec over tcp using the following command?

isakmp ipsec-over-tcp port 10000

Don't forget to enable this on the client under the transport tab...

Have you thought of utilizing your other two physical interfaces instead of pushing them with the interface Gi0/0

I hope this helps... Plz rate if it does!

Hi Osama,

i tried your options,

insert ipsec-over-tcp port 10000 and moved the

logical interface 0/0.23 to a physical interface gi0/1 but still get the error message 71005.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: