cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1471
Views
5
Helpful
26
Replies

VPN on Cisco ASA doesnt work

amit
Level 1
Level 1

Attached is the config for Cisco ASA. The VPN doesnt work. Please let me know whats wrong with this one. Also if anyone has a sample config, please send over.

Thanks

Amit

1 Accepted Solution

Accepted Solutions

Glad it all works fine, please be sure to rate this post

View solution in original post

26 Replies 26

Ivan Martinon
Level 7
Level 7

Amit,

Your config looks good, what is the error message you get on your client? Your outside shows a private ip address are you using nat in front? have you opened the needed ports? can you send the client log or the asa debugs?

what ports are required to be opened up?

Port UDP 500, port UDP 4500 and protocol ESP need to be opened, also after adding these, go ahead and enable the next command "crypto isakmp nat-t"

do I create access-list for 500 4500? WHat does the crypto isakmp do?

Those ports need to be opened yes, but not on the firewall that you have, but in the router that is in front providing NAT (if any) that command enables encryption over UDP 4500 to alleviate NAT environments

attached is the modified config.

Amit,

I saw you opened those ports on the ASA by adding an ACL, ASA does not need to have this opened since this guy will accept vpn client connections by enabling the following commands "crypto isakmp enable outside" and "crypto map XXXX interface outside" which... now that I look again at your config you don't have.

Please go ahead and add this line to your ASA:

crypto map outside_map interface outside

And try to connect again.

do i enter

crypto isakmp enable outside

crypto map outside_map interface outside

or just

crypto map outside_map interface outside

enter both to be sure

Do you think I need to make any more changes to the config? Could you please check the config again. Why I am saying this is because I have to go to client side to do this, and if it doesnt work then I will have to wait again for your response and then go again.

Thanks for all your help.

Understood, you can go ahead and remove these:

access-list port500 extended permit udp interface Outside eq isakmp interface in

side

access-list port4500 extended permit udp interface Outside eq 4500 interface ins

ide

Add those commands that I mentioned you and please check the following line:

route Outside 0.0.0.0 0.0.0.0 10.1.10.1 1

This does not make sense to the addressing scheme on the outside interface, just let me know if this was edited for privacy matters.

no this is how it is. It wasnt edited for privacy matters. But If I remove this route, I cannot get out to the internet. This is the IP of the Comcast Router.

Thanks

That's ok, I was just wondering why it was on a different subnet, leave it and apply what I asked.

Do I need to have any access-list for allowing the crypto map?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: