Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
4
Helpful
3
Replies

ASA5510 Remote access Server problem

Go to solution
rvr_76bg
Level 1
Level 1

‎10-27-2008 07:50 AM - edited ‎02-21-2020 04:00 PM

Hello guys,

I have a problem with ASA5510 configured as Remote access server. We are using Windows XP VPN client. Staring at the configuration I don't see any problem but when I try to connect to the Server it doesn't initiate VPN negotiation. I had problem like this before, but at least I saw traffic hitting the ASA. Now I don't see anything hitting the device. I am attaching the current configuration of the ASA. The VPN client on my laptop is configured properly. Thank you in advance!

rvr

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to rvr_76bg

‎10-29-2008 07:41 AM

Hi,

Glad to help and thanks for rating.

This command is not mandatory but 90% of the deployment that I have seen has this command configured and is the default for ASA. In a nutshell, what this command does is open IKE and IPSEC ports and also does not check inbound ACL on ASA for IPSEC Traffic.

In case if you dont have this command enabled, you need to configure inbound ACL to permit IKE, IPSEC and Clear Text Remote Access VPN Traffic after the IPSEC Packets get decrypted on the ASA.

Regards,

Arul

*Pls rate if it helps*

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎10-27-2008 12:17 PM

Hi,

In your configuration, you have the below command, which will disable IKE and ESP.

no sysopt connection permit-vpn.

Can you enable this command and run the testing again.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

If you really want to disable this option, then you need to explicitly configure Access-list applied inbound to permit all ISAKMP and IPSEC ports and also the user traffic.

Regards,

Arul

*Pls rate if it helps*

Go to solution
rvr_76bg
Level 1
Level 1
In response to ajagadee

‎10-29-2008 04:23 AM

I had the command in the configuration before and didn't work. Now I inserted it onace again(according to your suggestion) and it worked, this is strange.

Is this command mandatory for ASA remote access server?

rvr

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to rvr_76bg

‎10-29-2008 07:41 AM

Hi,

Glad to help and thanks for rating.

This command is not mandatory but 90% of the deployment that I have seen has this command configured and is the default for ASA. In a nutshell, what this command does is open IKE and IPSEC ports and also does not check inbound ACL on ASA for IPSEC Traffic.

In case if you dont have this command enabled, you need to configure inbound ACL to permit IKE, IPSEC and Clear Text Remote Access VPN Traffic after the IPSEC Packets get decrypted on the ASA.

Regards,

Arul

*Pls rate if it helps*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents