please excuse me while i get my head around this thing.
policy problem. very simple setup.
getting: 2 Mar 16 2007 14:51:24 106006 xx.202.120.109 xx.129.14.162 Deny inbound UDP from xx.xx.120.109/500 to xx.xx.14.162/500 on interface outside
no web or hardclient. just static routing table and ravpn.
thanks for input. i have been at this for a VERY long time.
unfortunately i get "invalid input detected at marker"
do i need to ssh in to use this command? currently telnet.
no telnet is fine, are you having trouble with your vpn?
pix(config)#sysopt connection permit-ipsec
depending on your code version the command may be sysopt connection permit-vpn
first thanks so much for the help!
looking forward to initiating the command when arrive at the office.
yes, the asdm log is telling me that the outside connection is being blocked (ike port 500). i have run through the setup too many times to count.
code version. 7.2 maybe. or asdm version?5 it is a new unit out of the box. very happy with the unit, if i could only get the remote access vpn to work. i feel like a real idiot considering there is even a wizard in the gui. took me quite a while to make the routing table for the static ip, but that seems to be working. i don't think this could be a problem . what do you think? problem with the security policy? have tried to0ns of different rules to allow/direct. will be in within the hour. thanks again!!!
First of all, you do not want your vpn client dhcp pool to be the same subnet as your inside. Change the pool to something different. Then you will also have to change any reference to that pool in the rest of your config, nat 0 access-list etc. Start with that and we'll go from there. I didnt see the sysopt command in your config. Without that, udp 500 will be denied on the outside interface, unless you specifically permit it, which you havent.
ok. breathing again. that nat change got me running. big thanks. however i am still getting blocked on the isakmp. "deny inbound udp from xxx./500 to xxx./500 on interface outside" REALLY appreciate it!
No, no need to add a route like that. In any case you will need the sysopt command, unless you want to write access-lists permitting all your vpn traffic. When you first added the sysopt command, it still would not have worked becuase of your vpn pool. Now that you've changed your pool, add the sysopt command.
5 Mar 18 2007 00:15:36 111008 User 'enable_15' executed the 'sysopt connection permit-vpn' command.
5 Mar 18 2007 00:15:59 111008 User 'enable_15' executed the 'sysopt connection permit-ipsec' command.
2 Mar 18 2007 00:15:01 106006 xxx.xxx.xxx.16 xxx.xxx.xxx.162 Deny inbound UDP from xxx.xxx.xxx.16/500 to xxx.xxx.xxx.162/500 on interface outside
if you wanted to email me. that email works. either way i appreciate your time and patience!
Please try the following:
no crypto isakmp enable outside
crypto isakmp enable outside
cry isak iden add
Please rate if it helps,
applied, still no go. in addition acomiskey suggested removing a line of my routing table which was good idea, but did not resolve. including new running config if anyone has any further thoughts. thanks Kamal and acomiskey. your thoughts and suggestions are very helpful. will rate. !att
Do you have VPN clients connecting from inside to some server outside ? In other words, do you have this ASA as an ipsec passthrough also ?
if you have a spare public ip address, Try changing the PAT statement to
global (outside) 1
instead of using interface to pat the traffic. There's a known issue with interface PAT with VPN connections.
Let me know if it helps.
after my Nth config factory-restore and reconfig (with no changes) for no apparent reason the ipsec vpn started connecting. i have not as of yet compared the running config line by line, but will post if some difference is found. in addition now my ASDM interface status constantly blinks from "no ip address" to being down to n/a?. i know i did something to make that steady the last time. thanks again for all that attempted to ease my pain.