I have a PIX 506e set up for VPN connectivity at a remote branch office. Users from my main branch office cannot connect to it when they they are sitting at their desks. In other words, the main corporate office firewall is blocking the VPN connection. The VPN works just fine when users are not in the office.
Here is a cut and paste of the translations and encryptions in use:
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
The question is, what do I need to open up IP/TCP/UDP wise on my firewall at the corporate office to allow outbound VPN connections to be succesful. Keep in mind, I need this to be succesfull in the future as well with other VPN servers.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...