Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
1
Replies

ASA5550 - how to allow outgoing ipSec?

wsanders1
Level 1
Level 1

‎09-15-2009 12:39 PM - edited ‎03-11-2019 09:15 AM

We just migrated to an ASA5550 and an internal contractor cannot finish ISAKMP negotiation back to her IPSec VPN server (it's a Nortel client). She does get her DNS and IP adddress, so I presume something is trying to connect back to her PC. We fixed the problem by allowing all incoming IP to her IP address. I know it's not one of our other ACL rules because her new incoming rule is last in the ACL. The outgoing ACL is the default "all to less secure".

Is there a recipe for setting up outgoing IPSec connections on an ASA somewhere? I don't see any fixup or inspect options for this protocol, our config is mostly default, two interfaces inside-outsdie, no NAT, etc. I could not locate any comments on this online (suprisingly.)

Perhaps for ESP and AH protocol the ASA does not track outgoing connections like it does for UDP and TCP, so allowing all incoming AH and ESP is a better way to fix this?

Thanks --w

Labels:
0 Helpful
1 Reply 1

wsanders1
Level 1
Level 1

‎09-15-2009 01:29 PM

Answer: Looks like there are some inspect options that are not enabled by default, for ipsec and pptp. Probably better to enable those that allow all incoming AH/ESP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card