We just migrated to an ASA5550 and an internal contractor cannot finish ISAKMP negotiation back to her IPSec VPN server (it's a Nortel client). She does get her DNS and IP adddress, so I presume something is trying to connect back to her PC. We fixed the problem by allowing all incoming IP to her IP address. I know it's not one of our other ACL rules because her new incoming rule is last in the ACL. The outgoing ACL is the default "all to less secure".
Is there a recipe for setting up outgoing IPSec connections on an ASA somewhere? I don't see any fixup or inspect options for this protocol, our config is mostly default, two interfaces inside-outsdie, no NAT, etc. I could not locate any comments on this online (suprisingly.)
Perhaps for ESP and AH protocol the ASA does not track outgoing connections like it does for UDP and TCP, so allowing all incoming AH and ESP is a better way to fix this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...