cisco system vpn client

Unanswered Question
Oct 19th, 2008

hi , my vpn architecture is as follows:

HQ using Cisco 1841 ISR

Static WAN IP

LAN IP e.g.

EasyVPN Server with Pre-share key configurations.

Peer no.1

Using dynamic IP

DLink DSL-G600 series

install cisco systems vpn client

the questions:

From the peer no.1 , outbound traffic is able to go to the HQ.

How about in-bound data traffic from the HQ ? e.g. microsft SQL services etc...

If in-bound data traffic cannot, how to configure this 'in-bound' traffic to work ?

Any recommendations and advise is apprecitate !

Thanks in advance !


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sun, 10/19/2008 - 22:41

You most probably need to allow UDP 500 (or even 4500) and ESP (IP Protocol # 50) on the NAT gateway. Its usually there under a separate section titled VPN passthrough etc.

The phase 2 SA has 'two' uni-directional connections.



softpro77 Sun, 10/19/2008 - 23:54

Hi Farrukh,

I understand you mean on the peer's Dlink router, I have to allow the UDP 500~4500 , ESP (IP Protocol #50) on the NAT gateway ?


Do you mean on the HQ's cisco 1841 IOS configurations ?

Thanks in advance


softpro77 Mon, 10/20/2008 - 01:08

hi Farrukh

o-right, so lets say, after i allow the 'ports'of the peer's DLink router, any idea of of any useful 'commands' or 'utilities' i can use to test to verify if 'in-bound' traffic is working fine ?

After I establish the ipsec tunnels using cisco systems vpn client software installed on the windows pc on the peer's site.

Thanks in advance !


Farrukh Haroon Mon, 10/20/2008 - 01:33

The first place to check is the encr/decr on your VPN client Status screen.

You can also check the 'show crypto ipsec sa' on the VPN Server. The encaps/decaps both should increment.

Then you can simple initate pings from both sides to check the tunnel.



softpro77 Mon, 10/20/2008 - 17:54

hi farrukh ,

i've come accross the online document abt the built in 'stateful firewall(Always On) feature that i can't comprehend.

Let's say after I allow the 'ports' that you mentioned on the Peer's DLink side, then what do I need to configure this built-in 'Stateful firewall' of the cisco systems software client ?

My goal is to let allow the in-bound data traffic from HQ to peer's end.

Meaning the peer's is 'Application aware' of the HQ-head end, after establishing IPsec vpn tunnels.

Thanks in advance !


Farrukh Haroon Mon, 10/20/2008 - 19:13

This firewall feature is like a value-added or should I say bonus feature provided by Cisco. Its basically technology from ZoneLabs (ZoneAlarm) AFAIK. The VPN client makes sure encrypted traffic flows through even after enabling the firewall, but just make sure you test everything as it can sometimes break some desired traffic flows (for e.g. your own remote session to the VPN client pc for testing).




This Discussion