VPN through an ASA 5540 v8

Unanswered Question
Oct 14th, 2009
User Badges:


i'm trying to allow a vpn from a client on my internal network to an external server in a third party

i have 2 rules allowing udp from source to destination & destination to source

i can see hits UDP 500 & UDP 4500 on the internal list but nothing on the external acl

when i capture i can see traffic from the destination hitting the asa external interface but there is nothing in the logs

i've tried the sysopt connection permit-vpn command but still nothing and i can't find a document on allowing a vpn through an ASA

can anyone help

thanks to anyone taking the time to read this

greatly appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 10/14/2009 - 05:59
User Badges:
  • Purple, 4500 points or more

Do you have NAT-T configured on the ASA?

mike_guy29 Wed, 10/14/2009 - 10:51
User Badges:


Judging from the ports in use the client is using NAT-T. As for seeing hits on the outside ACL I wouldn't expect you would. The clients return traffic would be automatically allowed (that is the purpose of a stateful firewall). The only time you would need an entry in the ACL permitting outside inbound is if the outside initiates the traffic. Which seeing as its a VPN client in use it wont be :) does that make sense?

If the VPN client is still not working it could be something else. Is it just a standard IPsec VPN? Are you able to obtain a packet capture on the clients laptop and post it?



mulhollandm Wed, 10/14/2009 - 11:48
User Badges:


many thanks for your reply

i've been reaching a similiar conclusion in the past hour or so

unfortunately i can't get a capture on the client as its locked down and i can't get admin rights

as a test i've setup a vpn on my own laptop to the same destination ip with a dummy username and password

i can actually see a return packet from the vpn concentrator so it looks like traffic is making its way from host-concentrator-host

the real host is behind another firewall so tomorrow i'll put my laptop and capture there

i've test the real host from behind a broadband line and it works so i'm wondering it nats are an issue

grateful for your thoughts


mike_guy29 Wed, 10/14/2009 - 12:14
User Badges:

No problem,

As mentioned they same to be communicating using NAT-T based on the port 4500 so they shouldn't have a problem with communicating through NAT devices.

If you do not have any luck tomorrow and are able to get some logs from the client or packet capture somewhere along the line (connect to a hub between the client and switchport and run wireshark or similar??) then post them here and I shall take a look!

Best of luck



This Discussion