06-25-2010 11:01 AM
I have our ASA 5510 set up to create a vpn for our users. When I test it locally it works fine, but when I try to use it remotely it will not work. Additionally port 500 is open locally, but not remotely. What am I missing? I have been told that there are no firewalls in place that would affect me.
Dan
Solved! Go to Solution.
06-25-2010 01:32 PM
You say port 500 (UDP) is not open remotely.
How do you expect for a client to connect if UDP 500 is not open on the client side?
Federico.
06-25-2010 11:08 AM
Daniel.
The ASA by will respond and accept remote IPsec connections (if configured).
On the client side you need to make sure that there are no restrictions for UDP 500/4500 and ESP.
Is the client able to establish the tunnel? You can check this with two commands:
sh cry isa sa
sh cry ips sa
If the tunnel is established you need NAT-T to pass traffic normally.
Federico.
06-25-2010 11:21 AM
If the clients cannot connect to port 500, then they cannot connect to the service, so when connecting remotely, the commands you mentioned do not show a connection. When I connect locally, it does show the connection as accpected though. I am using the same laptop to connect at both locations, so I know the settings are the same.
06-25-2010 01:32 PM
You say port 500 (UDP) is not open remotely.
How do you expect for a client to connect if UDP 500 is not open on the client side?
Federico.
06-25-2010 01:57 PM
By remotely, I mean that if I do an nmap -p 500 -sU, I show port 500 being open locally, when I leave and connect to another network, it does not show open there. I am not firewalling the port remotely, I just am saying I cannot see it open from there.
Dan
06-25-2010 02:15 PM
Could it be the ISP on the client side blocking the traffic?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide