Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing IPSec connection to another company from ASA

I have a vendor who needs access to his cisco ipsec vpn. I have statically nat'ed his internal ip, and allowed ip/ah/esp inbound and outbound, but he cannot establish connection. Is this even allowed in the ASA?

Thanks

6 REPLIES
Green

Re: Allowing IPSec connection to another company from ASA

Sure it's allowed. Could you post some of the config?

Re: Allowing IPSec connection to another company from ASA

also u need ISAKMP to be allowed or

udp 500

Green

Re: Allowing IPSec connection to another company from ASA

Yes, but he's already allowed ip.

New Member

Re: Allowing IPSec connection to another company from ASA

This is configuration I have added:

static (Internal,External) 207.67.84.121 10.0.24.19 netmask 255.255.255.255

access-list Internal extended permit ip host 10.0.24.19 host 137.69.115.15

access-list Internal extended permit ah host 10.0.24.19 host 137.69.115.15

access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15

access-list External extended permit ip host 137.69.115.15 host 207.67.84.121

access-list External extended permit ah host 137.69.115.15 host 207.67.84.121

access-list External extended permit esp host 137.69.115.15 host 207.67.84.121

Green

Re: Allowing IPSec connection to another company from ASA

That should work fine. Make sure he is translating to the correct address.

show xlate

Like the previous poster wrote, you could be more specific with your acls.

access-list Internal extended permit esp host 10.0.24.19 host 137.69.115.15

access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 500

access-list Internal extended permit udp host 10.0.24.19 host 137.69.115.15 eq 4500

New Member

Re: Allowing IPSec connection to another company from ASA

It's xlate'd fine, but his client bounces through his primary and secondary vpn servers and doesn't contact any of them.

119
Views
0
Helpful
6
Replies
CreatePlease to create content