vpn works locally, but not remotely

Answered Question
Jun 25th, 2010
User Badges:

I have our ASA 5510 set up to create a vpn for our users.  When I test it locally it works fine, but when I try to use it remotely it will not work.  Additionally port 500 is open locally, but not remotely.  What am I missing?  I have been told that there are no firewalls in place that would affect me.


Dan

Correct Answer by Federico Coto F... about 6 years 10 months ago

You say port 500 (UDP) is not open remotely.

How do you expect for a client to connect if UDP 500 is not open on the client side?


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Fri, 06/25/2010 - 11:08
User Badges:
  • Green, 3000 points or more

Daniel.


The ASA by will respond and accept remote IPsec connections (if configured).

On the client side you need to make sure that there are no restrictions for UDP 500/4500 and ESP.


Is the client able to establish the tunnel? You can check this with two commands:

sh cry isa sa

sh cry ips sa


If the tunnel is established you need NAT-T to pass traffic normally.


Federico.

Daniel Davidson Fri, 06/25/2010 - 11:21
User Badges:

If the clients cannot connect to port 500, then they cannot connect to the service, so when connecting remotely, the commands you mentioned do not show a connection.  When I connect locally, it does show the connection as accpected though.  I am using the same laptop to connect at both locations, so I know the settings are the same.

Correct Answer
Federico Coto F... Fri, 06/25/2010 - 13:32
User Badges:
  • Green, 3000 points or more

You say port 500 (UDP) is not open remotely.

How do you expect for a client to connect if UDP 500 is not open on the client side?


Federico.

Daniel Davidson Fri, 06/25/2010 - 13:57
User Badges:

By remotely, I mean that if I do an nmap -p 500 -sU, I show port 500 being open locally, when I leave and connect to another network, it does not show open there.  I am not firewalling the port remotely, I just am saying I cannot see it open from there.


Dan

Federico Coto F... Fri, 06/25/2010 - 14:15
User Badges:
  • Green, 3000 points or more

Could it be the ISP on the client side blocking the traffic?


Federico.

Actions

This Discussion