Re: Allowing IPSec connection to another company from ASA

jgorman1977 · ‎08-12-2008

I have a vendor who needs access to his cisco ipsec vpn. I have statically nat'ed his internal ip, and allowed ip/ah/esp inbound and outbound, but he cannot establish connection. Is this even allowed in the ASA?

Thanks

acomiskey · ‎08-12-2008

Sure it's allowed. Could you post some of the config?

Marwan ALshawi · ‎08-12-2008

also u need ISAKMP to be allowed or

udp 500

acomiskey · ‎08-12-2008

Yes, but he's already allowed ip.

jgorman1977 · ‎08-12-2008

This is configuration I have added:

static (Internal,External) 207.67.84.121 10.0.24.19 netmask 255.255.255.255

access-list Internal extended permit ip host 10.0.24.19 host 137.69.115.15

access-list Internal extended permit ah host 10.0.24.19 host 137.69.115.15

access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15

access-list External extended permit ip host 137.69.115.15 host 207.67.84.121

access-list External extended permit ah host 137.69.115.15 host 207.67.84.121

access-list External extended permit esp host 137.69.115.15 host 207.67.84.121

acomiskey · ‎08-12-2008

That should work fine. Make sure he is translating to the correct address.

show xlate

Like the previous poster wrote, you could be more specific with your acls.

access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15

access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 500

access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 4500

jgorman1977 · ‎08-12-2008

It's xlate'd fine, but his client bounces through his primary and secondary vpn servers and doesn't contact any of them.