08-12-2008 07:01 AM - edited 02-21-2020 03:53 PM
I have a vendor who needs access to his cisco ipsec vpn. I have statically nat'ed his internal ip, and allowed ip/ah/esp inbound and outbound, but he cannot establish connection. Is this even allowed in the ASA?
Thanks
08-12-2008 07:04 AM
Sure it's allowed. Could you post some of the config?
08-12-2008 07:10 AM
also u need ISAKMP to be allowed or
udp 500
08-12-2008 07:12 AM
Yes, but he's already allowed ip.
08-12-2008 07:16 AM
This is configuration I have added:
static (Internal,External) 207.67.84.121 10.0.24.19 netmask 255.255.255.255
access-list Internal extended permit ip host 10.0.24.19 host 137.69.115.15
access-list Internal extended permit ah host 10.0.24.19 host 137.69.115.15
access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15
access-list External extended permit ip host 137.69.115.15 host 207.67.84.121
access-list External extended permit ah host 137.69.115.15 host 207.67.84.121
access-list External extended permit esp host 137.69.115.15 host 207.67.84.121
08-12-2008 07:26 AM
That should work fine. Make sure he is translating to the correct address.
show xlate
Like the previous poster wrote, you could be more specific with your acls.
access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15
access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 500
access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 4500
08-12-2008 08:01 AM
It's xlate'd fine, but his client bounces through his primary and secondary vpn servers and doesn't contact any of them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide