Lei Tian Fri, 03/26/2010 - 18:10
User Badges:
  • Cisco Employee,

Hi Greg,


You can check your firewall rule first, make sure it allows isakmp and esp traffic .


HTH,

Lei Tian

gregotto49544 Fri, 03/26/2010 - 18:29
User Badges:

From looking at the config file, it appears that it is not. Shamefully I'm not sure how to enable it... Advise?

Jennifer Halim Fri, 03/26/2010 - 22:19
User Badges:
  • Cisco Employee,

The VPN server should have NAT-T enabled so it can detect that VPN Client is behind a NAT/PAT device, therefore uses UDP encapsulated ESP packet for the VPN.

gregotto49544 Sat, 03/27/2010 - 08:18
User Badges:

I don't get a say in how they have their router configured, so I am going to have to make the changes on my end I enabled the two services on my returning traffice, access list 106, as you can see from the attached configuration log, and still unable to VPN to the host from a client pc. Thanks for your help with this one so far.

Lei Tian Sat, 03/27/2010 - 09:39
User Badges:
  • Cisco Employee,

So you only have control of your 850 Router.


Can you remove the ACL and firewall rules configuration for now and check if the VPN client works?

Lei Tian Sat, 03/27/2010 - 11:35
User Badges:
  • Cisco Employee,

Ok, so NAT is not an issue here.


When you say disable firewall, you mean remove " ip access-group 106 in" and "ip inspect SDM_HIGH out"?


I think your ACL 106 is causing the problem; When you start the VPN client, did you see any acl log on the router?

Jennifer Halim Sat, 03/27/2010 - 16:35
User Badges:
  • Cisco Employee,

Try to add the following access-list:


ip access-list extended 106

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

gregotto49544 Sun, 03/28/2010 - 19:58
User Badges:

When I say I disabled the firewall, I mean I deleted all rules. I added those udp and esp rules as suggested, with no change. I included the config files for your browsing pleasure incase I have again missed something. Also, as a side question have you seen this router do poor at distributing bandwidth? If I have one computer dowloand at 2500kbps the other computer can't seem to get more than 35kbps.

Jennifer Halim Sun, 03/28/2010 - 20:33
User Badges:
  • Cisco Employee,

OK, seems like you have changed your access-list as per your last config :-)


Now, access-list 107 is applied to the outside interface.


Please add the following:

ip access-list extended 107

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any


BTW, what vpn client are you using? and do you know what ports they use?

Actions

This Discussion

Related Content