ASA5550 - how to allow outgoing ipSec?

Unanswered Question
Sep 15th, 2009
User Badges:

We just migrated to an ASA5550 and an internal contractor cannot finish ISAKMP negotiation back to her IPSec VPN server (it's a Nortel client). She does get her DNS and IP adddress, so I presume something is trying to connect back to her PC. We fixed the problem by allowing all incoming IP to her IP address. I know it's not one of our other ACL rules because her new incoming rule is last in the ACL. The outgoing ACL is the default "all to less secure".

Is there a recipe for setting up outgoing IPSec connections on an ASA somewhere? I don't see any fixup or inspect options for this protocol, our config is mostly default, two interfaces inside-outsdie, no NAT, etc. I could not locate any comments on this online (suprisingly.)

Perhaps for ESP and AH protocol the ASA does not track outgoing connections like it does for UDP and TCP, so allowing all incoming AH and ESP is a better way to fix this?

Thanks --w

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wsanders1 Tue, 09/15/2009 - 13:29
User Badges:

Answer: Looks like there are some inspect options that are not enabled by default, for ipsec and pptp. Probably better to enable those that allow all incoming AH/ESP.


This Discussion