Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5550 - how to allow outgoing ipSec?

We just migrated to an ASA5550 and an internal contractor cannot finish ISAKMP negotiation back to her IPSec VPN server (it's a Nortel client). She does get her DNS and IP adddress, so I presume something is trying to connect back to her PC. We fixed the problem by allowing all incoming IP to her IP address. I know it's not one of our other ACL rules because her new incoming rule is last in the ACL. The outgoing ACL is the default "all to less secure".

Is there a recipe for setting up outgoing IPSec connections on an ASA somewhere? I don't see any fixup or inspect options for this protocol, our config is mostly default, two interfaces inside-outsdie, no NAT, etc. I could not locate any comments on this online (suprisingly.)

Perhaps for ESP and AH protocol the ASA does not track outgoing connections like it does for UDP and TCP, so allowing all incoming AH and ESP is a better way to fix this?

Thanks --w

New Member

Re: ASA5550 - how to allow outgoing ipSec?

Answer: Looks like there are some inspect options that are not enabled by default, for ipsec and pptp. Probably better to enable those that allow all incoming AH/ESP.