09-24-2009 07:57 AM - edited 02-21-2020 04:20 PM
Hi,
I have a question,
How can I configure on the ASA that vpn users (with cisco vpn client) cannot connect to the it with udp.
Cisco says, By default the ipsec over udp is disabled.
But not. I can connect ipsec over udp.
I tried the ipsec-udp disable command on the group policy but nothing changed.
what is the solution?
is it a bug? or I forgot something?
pls help,
thank you
Gabor
09-24-2009 02:03 PM
sorry for my english I'm pretty tired :)
but I think you know what I want...
(disable the udp vpn connections)
09-28-2009 11:38 AM
Gabor:
By default, if there is a UDP device in the middle, ASA will use IPsec over NAT-T, which is UDP 4500, and using the ipsec-udp disable command will not disable that. It will only disable IPSec over UDP over any other port, which is different from NAT-T, though the functionality is essentially the same.
Do you want to use IPSec over TCP instead? If yes, then you could enable that. The document below shows how that can be done. To disable nat-t, you do:
no crypto isakmp nat-t
Please rate if this was helpful
10-06-2009 03:24 AM
Hi,
Yes I want allow just "IPSec over TCP" in the client for the connection.
but still not works.
I tried "no crypto isakmp nat-t" but not works.
I set the "ipsec-udp disable" on the group policy too but not helped,- i know this is not what I need-
The user still can connect to the vpn, not depend on the transport (I mean enable or disable Transparent tunneling, and udp(NAT/PAT) or TCP is checked.)
in the cisco vpn client.
What is the solution?
Thank you.
10-06-2009 05:55 AM
Gabor,
Please can you paste the output of the following here:
show run all crypto
show run all group-policy
show run all tunnel-group
In addition to that, please can you attach the profile file from the VPN client as well?
10-06-2009 07:00 AM
10-14-2009 07:02 AM
Now it works, not let user use ipsec over udp, but I change nothing, what is important.
I think there is something problem with the refreshing.
now, I set the "crypto isakmp nat-traversal 20" and not let the user use ipsec over udp (NAT/PAT), but would have had to..
Gabor
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: