01-19-2009 05:00 AM - edited 02-21-2020 03:13 AM
Attached is the config for Cisco ASA. The VPN doesnt work. Please let me know whats wrong with this one. Also if anyone has a sample config, please send over.
Thanks
Amit
Solved! Go to Solution.
01-21-2009 08:11 AM
Glad it all works fine, please be sure to rate this post
01-19-2009 10:06 AM
Amit,
Your config looks good, what is the error message you get on your client? Your outside shows a private ip address are you using nat in front? have you opened the needed ports? can you send the client log or the asa debugs?
01-19-2009 10:09 AM
what ports are required to be opened up?
01-19-2009 10:13 AM
Port UDP 500, port UDP 4500 and protocol ESP need to be opened, also after adding these, go ahead and enable the next command "crypto isakmp nat-t"
01-19-2009 10:22 AM
do I create access-list for 500 4500? WHat does the crypto isakmp do?
01-19-2009 10:25 AM
Those ports need to be opened yes, but not on the firewall that you have, but in the router that is in front providing NAT (if any) that command enables encryption over UDP 4500 to alleviate NAT environments
01-19-2009 01:07 PM
01-19-2009 01:13 PM
Amit,
I saw you opened those ports on the ASA by adding an ACL, ASA does not need to have this opened since this guy will accept vpn client connections by enabling the following commands "crypto isakmp enable outside" and "crypto map XXXX interface outside" which... now that I look again at your config you don't have.
Please go ahead and add this line to your ASA:
crypto map outside_map interface outside
And try to connect again.
01-19-2009 02:21 PM
do i enter
crypto isakmp enable outside
crypto map outside_map interface outside
or just
crypto map outside_map interface outside
01-19-2009 03:02 PM
enter both to be sure
01-19-2009 03:40 PM
Do you think I need to make any more changes to the config? Could you please check the config again. Why I am saying this is because I have to go to client side to do this, and if it doesnt work then I will have to wait again for your response and then go again.
Thanks for all your help.
01-19-2009 04:08 PM
Understood, you can go ahead and remove these:
access-list port500 extended permit udp interface Outside eq isakmp interface in
side
access-list port4500 extended permit udp interface Outside eq 4500 interface ins
ide
Add those commands that I mentioned you and please check the following line:
route Outside 0.0.0.0 0.0.0.0 10.1.10.1 1
This does not make sense to the addressing scheme on the outside interface, just let me know if this was edited for privacy matters.
01-19-2009 04:35 PM
no this is how it is. It wasnt edited for privacy matters. But If I remove this route, I cannot get out to the internet. This is the IP of the Comcast Router.
Thanks
01-19-2009 05:08 PM
That's ok, I was just wondering why it was on a different subnet, leave it and apply what I asked.
01-20-2009 10:25 AM
Do I need to have any access-list for allowing the crypto map?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide