cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1908
Views
0
Helpful
11
Replies

VPN Out Cisco 850 Router

gregotto49544
Level 1
Level 1

Since installing my Cisco 850 Router and setting up the firewall I can not seem to VPN out from a client. Any suggestions?

Thanks,

Greg

11 Replies 11

Lei Tian
Cisco Employee
Cisco Employee

Hi Greg,

You can check your firewall rule first, make sure it allows isakmp and esp traffic .

HTH,

Lei Tian

From looking at the config file, it appears that it is not. Shamefully I'm not sure how to enable it... Advise?

Hi Greg,

Here is document showing how to enable it on the ASA firewall using ASDM

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

HTH

Reza

Jennifer Halim
Cisco Employee
Cisco Employee

The VPN server should have NAT-T enabled so it can detect that VPN Client is behind a NAT/PAT device, therefore uses UDP encapsulated ESP packet for the VPN.

I don't get a say in how they have their router configured, so I am going to have to make the changes on my end I enabled the two services on my returning traffice, access list 106, as you can see from the attached configuration log, and still unable to VPN to the host from a client pc. Thanks for your help with this one so far.

So you only have control of your 850 Router.

Can you remove the ACL and firewall rules configuration for now and check if the VPN client works?

Works great with firewall disabled.

Ok, so NAT is not an issue here.

When you say disable firewall, you mean remove " ip access-group 106 in" and "ip inspect SDM_HIGH out"?

I think your ACL 106 is causing the problem; When you start the VPN client, did you see any acl log on the router?

Try to add the following access-list:

ip access-list extended 106

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

When I say I disabled the firewall, I mean I deleted all rules. I added those udp and esp rules as suggested, with no change. I included the config files for your browsing pleasure incase I have again missed something. Also, as a side question have you seen this router do poor at distributing bandwidth? If I have one computer dowloand at 2500kbps the other computer can't seem to get more than 35kbps.

OK, seems like you have changed your access-list as per your last config :-)

Now, access-list 107 is applied to the outside interface.

Please add the following:

ip access-list extended 107

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

BTW, what vpn client are you using? and do you know what ports they use?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: