06-25-2010 11:01 AM
I have our ASA 5510 set up to create a vpn for our users. When I test it locally it works fine, but when I try to use it remotely it will not work. Additionally port 500 is open locally, but not remotely. What am I missing? I have been told that there are no firewalls in place that would affect me.
Dan
Solved! Go to Solution.
06-25-2010 01:32 PM
You say port 500 (UDP) is not open remotely.
How do you expect for a client to connect if UDP 500 is not open on the client side?
Federico.
06-25-2010 11:08 AM
Daniel.
The ASA by will respond and accept remote IPsec connections (if configured).
On the client side you need to make sure that there are no restrictions for UDP 500/4500 and ESP.
Is the client able to establish the tunnel? You can check this with two commands:
sh cry isa sa
sh cry ips sa
If the tunnel is established you need NAT-T to pass traffic normally.
Federico.
06-25-2010 11:21 AM
If the clients cannot connect to port 500, then they cannot connect to the service, so when connecting remotely, the commands you mentioned do not show a connection. When I connect locally, it does show the connection as accpected though. I am using the same laptop to connect at both locations, so I know the settings are the same.
06-25-2010 01:32 PM
You say port 500 (UDP) is not open remotely.
How do you expect for a client to connect if UDP 500 is not open on the client side?
Federico.
06-25-2010 01:57 PM
By remotely, I mean that if I do an nmap -p 500 -sU, I show port 500 being open locally, when I leave and connect to another network, it does not show open there. I am not firewalling the port remotely, I just am saying I cannot see it open from there.
Dan
06-25-2010 02:15 PM
Could it be the ISP on the client side blocking the traffic?
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: