08-12-2008 07:01 AM - edited 02-21-2020 03:53 PM
I have a vendor who needs access to his cisco ipsec vpn. I have statically nat'ed his internal ip, and allowed ip/ah/esp inbound and outbound, but he cannot establish connection. Is this even allowed in the ASA?
Thanks
08-12-2008 07:04 AM
Sure it's allowed. Could you post some of the config?
08-12-2008 07:10 AM
also u need ISAKMP to be allowed or
udp 500
08-12-2008 07:12 AM
Yes, but he's already allowed ip.
08-12-2008 07:16 AM
This is configuration I have added:
static (Internal,External) 207.67.84.121 10.0.24.19 netmask 255.255.255.255
access-list Internal extended permit ip host 10.0.24.19 host 137.69.115.15
access-list Internal extended permit ah host 10.0.24.19 host 137.69.115.15
access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15
access-list External extended permit ip host 137.69.115.15 host 207.67.84.121
access-list External extended permit ah host 137.69.115.15 host 207.67.84.121
access-list External extended permit esp host 137.69.115.15 host 207.67.84.121
08-12-2008 07:26 AM
That should work fine. Make sure he is translating to the correct address.
show xlate
Like the previous poster wrote, you could be more specific with your acls.
access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15
access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 500
access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 4500
08-12-2008 08:01 AM
It's xlate'd fine, but his client bounces through his primary and secondary vpn servers and doesn't contact any of them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: