03-26-2010 05:22 PM - edited 03-04-2019 07:56 AM
Since installing my Cisco 850 Router and setting up the firewall I can not seem to VPN out from a client. Any suggestions?
Thanks,
Greg
03-26-2010 06:10 PM
Hi Greg,
You can check your firewall rule first, make sure it allows isakmp and esp traffic .
HTH,
Lei Tian
03-26-2010 06:29 PM
From looking at the config file, it appears that it is not. Shamefully I'm not sure how to enable it... Advise?
03-26-2010 06:46 PM
Hi Greg,
Here is document showing how to enable it on the ASA firewall using ASDM
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
HTH
Reza
03-26-2010 10:19 PM
The VPN server should have NAT-T enabled so it can detect that VPN Client is behind a NAT/PAT device, therefore uses UDP encapsulated ESP packet for the VPN.
03-27-2010 08:18 AM
I don't get a say in how they have their router configured, so I am going to have to make the changes on my end I enabled the two services on my returning traffice, access list 106, as you can see from the attached configuration log, and still unable to VPN to the host from a client pc. Thanks for your help with this one so far.
03-27-2010 09:39 AM
So you only have control of your 850 Router.
Can you remove the ACL and firewall rules configuration for now and check if the VPN client works?
03-27-2010 10:50 AM
Works great with firewall disabled.
03-27-2010 11:35 AM
Ok, so NAT is not an issue here.
When you say disable firewall, you mean remove " ip access-group 106 in" and "ip inspect SDM_HIGH out"?
I think your ACL 106 is causing the problem; When you start the VPN client, did you see any acl log on the router?
03-27-2010 04:35 PM
Try to add the following access-list:
ip access-list extended 106
1 permit udp any any eq 500
2 permit udp any any eq 4500
3 permit esp any any
03-28-2010 07:58 PM
When I say I disabled the firewall, I mean I deleted all rules. I added those udp and esp rules as suggested, with no change. I included the config files for your browsing pleasure incase I have again missed something. Also, as a side question have you seen this router do poor at distributing bandwidth? If I have one computer dowloand at 2500kbps the other computer can't seem to get more than 35kbps.
03-28-2010 08:33 PM
OK, seems like you have changed your access-list as per your last config :-)
Now, access-list 107 is applied to the outside interface.
Please add the following:
ip access-list extended 107
1 permit udp any any eq 500
2 permit udp any any eq 4500
3 permit esp any any
BTW, what vpn client are you using? and do you know what ports they use?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: