Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

RA VPN issue asa5505

please excuse me while i get my head around this thing.

policy problem. very simple setup.

getting: 2 Mar 16 2007 14:51:24 106006 xx.202.120.109 xx.129.14.162 Deny inbound UDP from xx.xx.120.109/500 to xx.xx.14.162/500 on interface outside

no web or hardclient. just static routing table and ravpn.

tia.

20 REPLIES
Green

Re: RA VPN issue asa5505

sysopt connection permit-ipsec/vpn

Community Member

Re: RA VPN issue asa5505

thanks for input. i have been at this for a VERY long time.

unfortunately i get "invalid input detected at marker"

do i need to ssh in to use this command? currently telnet.

Green

Re: RA VPN issue asa5505

no telnet is fine, are you having trouble with your vpn?

pix#config t

pix(config)#sysopt connection permit-ipsec

depending on your code version the command may be sysopt connection permit-vpn

Community Member

Re: RA VPN issue asa5505

first thanks so much for the help!

looking forward to initiating the command when arrive at the office.

yes, the asdm log is telling me that the outside connection is being blocked (ike port 500). i have run through the setup too many times to count.

code version. 7.2 maybe. or asdm version?5 it is a new unit out of the box. very happy with the unit, if i could only get the remote access vpn to work. i feel like a real idiot considering there is even a wizard in the gui. took me quite a while to make the routing table for the static ip, but that seems to be working. i don't think this could be a problem . what do you think? problem with the security policy? have tried to0ns of different rules to allow/direct. will be in within the hour. thanks again!!!

Community Member

Re: RA VPN issue asa5505

command was successful, however no change.

here are the config and client log. thanks!!!

ASA Version 7.2(2)

!att.

Green

Re: RA VPN issue asa5505

First of all, you do not want your vpn client dhcp pool to be the same subnet as your inside. Change the pool to something different. Then you will also have to change any reference to that pool in the rest of your config, nat 0 access-list etc. Start with that and we'll go from there. I didnt see the sysopt command in your config. Without that, udp 500 will be denied on the outside interface, unless you specifically permit it, which you havent.

Community Member

Re: RA VPN issue asa5505

thanks. after changing something my routing insnt functioning. if you have the patience.. THANKS! att.

Green

Re: RA VPN issue asa5505

you're missing...

global (outside) 1 interface

Community Member

Re: RA VPN issue asa5505

is this the command or service policy addition? losing my mind. thanks!!!

Green

Re: RA VPN issue asa5505

the command, it's in the first config you posted, and not in the second.

Community Member

Re: RA VPN issue asa5505

ok. breathing again. that nat change got me running. big thanks. however i am still getting blocked on the isakmp. "deny inbound udp from xxx./500 to xxx./500 on interface outside" REALLY appreciate it!

Green

Re: RA VPN issue asa5505

you receive that deny even with "sysopt connection permit-vpn"?

Community Member

Re: RA VPN issue asa5505

unfortunately. i made sure of that. here is the config. do i need to create a route from 192.168.2.0 <> 192.168.1.0? thanks!!!

Green

Re: RA VPN issue asa5505

No, no need to add a route like that. In any case you will need the sysopt command, unless you want to write access-lists permitting all your vpn traffic. When you first added the sysopt command, it still would not have worked becuase of your vpn pool. Now that you've changed your pool, add the sysopt command.

Community Member

Re: RA VPN issue asa5505

5 Mar 18 2007 00:15:36 111008 User 'enable_15' executed the 'sysopt connection permit-vpn' command.

5 Mar 18 2007 00:15:59 111008 User 'enable_15' executed the 'sysopt connection permit-ipsec' command.

2 Mar 18 2007 00:15:01 106006 xxx.xxx.xxx.16 xxx.xxx.xxx.162 Deny inbound UDP from xxx.xxx.xxx.16/500 to xxx.xxx.xxx.162/500 on interface outside

if you wanted to email me. that email works. either way i appreciate your time and patience!

Cisco Employee

Re: RA VPN issue asa5505

Please try the following:

no crypto isakmp enable outside

crypto isakmp enable outside

cry isak iden add

HTH,

Please rate if it helps,

Regards,

Kamal

Community Member

Re: RA VPN issue asa5505

applied, still no go. in addition acomiskey suggested removing a line of my routing table which was good idea, but did not resolve. including new running config if anyone has any further thoughts. thanks Kamal and acomiskey. your thoughts and suggestions are very helpful. will rate. !att

Cisco Employee

Re: RA VPN issue asa5505

Do you have VPN clients connecting from inside to some server outside ? In other words, do you have this ASA as an ipsec passthrough also ?

if you have a spare public ip address, Try changing the PAT statement to

global (outside) 1

instead of using interface to pat the traffic. There's a known issue with interface PAT with VPN connections.

Let me know if it helps.

-Kanishka

Cisco Employee

Re: RA VPN issue asa5505

Also, what logs you are getting on VPN client ?

Community Member

Re: RA VPN issue asa5505

after my Nth config factory-restore and reconfig (with no changes) for no apparent reason the ipsec vpn started connecting. i have not as of yet compared the running config line by line, but will post if some difference is found. in addition now my ASDM interface status constantly blinks from "no ip address" to being down to n/a?. i know i did something to make that steady the last time. thanks again for all that attempted to ease my pain.

174
Views
10
Helpful
20
Replies
CreatePlease to create content