CISCO VPN CLIENT(IPSec over UDP) <-> VPN Concentrator : PROBLEM
Our company managers have lap-tops with application using partner`s VPN Concentrator site (IP address 188.8.131.52, belongs to "NIKE") and should connect as our LAN internal IP addresses (CISCO VPN Client 3.5.2, IPSec over UDP, transparent tunneling) over our ISA 2000 firewall and our CISCO 805 router.
(Sorry, this should not have been advertisement, it`s just that I have had not much of support from their contacts, in fact they are not real sys.admins, and I could not get to any real VPN Concentrator admin. Besides, I hope this will make other people having had the same problem with the same side to post here their suggestions and experience).
Anyway, all they told me is: open UDP 500 and UDP 10000. I am afraid it is not that simple.
They can connect, authenticate, get address from VPN Concentrator ,but when they start using application there is no response from target server. No data ever comes inbound.
Now, I have been experimenting with our CISCO router which is behind firewall (completely public): I assigned public address to Laptop client and tested changing access-list in order to "catch" ports.
All OUTBOUND IP traffic on CISCO is permitted.
For INBOUND access list, I have put:
"permit ip any any" and THIS HELPED.
I have tried with "netstat" on client to see what IP ports are in use but haven`t discovered anything interesting, besides the fact that when application communicates remote server TCP 40400 IS ALWAYS OPENED ON REMOTE SIDE!
When I changed INBOUND access list to:
"permit udp any any
permit tcp any any" NO SUCCESS!
I tried with:
"permit ipinip any any" but NO SUCCESS!
1) Does anyone knows what ports this VPN Concentrator really uses and how to find out what specific IP protocols and ports should be opened on CISCO 805, both in and out?
2) If VPN CONCENTRATOR (184.108.40.206) admins do not follow this forum, how to monitor ports and IP protocols in use on CISCO IOS 12.2 during succesful session which I described above? Something like "netstat" in Windows.
3) What firewalls at clients` side support this if ISA doesn`t (Win2000 environment)? Please, only confirmed through testing.
I am having a similar problem. A VPN tunnel is established and all authentication works without a hitch but I cannot get to any corporate applications. For telne as an example, it seems as though SYN packets are being sent out but there is no ACK.
From this I infer that somewhere along the way it is being blocked. What options are there for debugging this?
Just a thought...but I had problems with my VPN passing traffic and had a person who could login but not get into inside servers... I found that my router admins had left off some important routes...once I had routing going I was then able to pass traffic successfully. Good Luck.
First off, I believe the Concentrator can be configured to tunnel what ever port you want. For insistance we have ours set up to tunnel all traffic through a certain UDP port. The Concetrator's profile should be imported to the users computer and everything should be gravy. As far the firewall is concerned, is there more than one way to allow ports through it? I only ask this b/c on our firewall, we have proxy filters, and ipfilters. For some reason the proxy port filters don't work w/the the configured Concentrator port. We have to use Ip filters in order for the user to authenicate and get to their apps. Just a thought.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...