Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
5
Helpful
2
Replies

Cisco VPN client from behind ASA5520

victorrodrigues
Level 1
Level 1

‎08-08-2006 10:07 PM

Hi,

Ive setup my ASA with Nat to the external world. All services including SMTP and Web work just fine. I just have a problem with CISCO VPN clients connecting from my network. Internet services are provided by an ISA server which is inside the ASA.

I have some visiting consultants who wish to connect to their own corporate network and fail to do so unless I give them a public IP. Do I need a fixup? I tried the "sysopt connection permit-ipsec" command as opposed to an ACL , but i guess that is only for when setting up VPN on the ASA itself. I have enabled "Inspect PPTP" which is allowing my Windows VPN to work ( go through). Its just my Cisco VPN client that is getting blocked I believe.. probably cuz of L2TP... I dont believe there is an "Inspect L2TP" command. Kindly advise ...

Thanks guys

Victor

Labels:
0 Helpful
2 Replies 2

Fernando_Meza
Level 7
Level 7

‎08-09-2006 09:02 PM

Hi .. you can try allowing UDP port 4500 on your inside and outside access-lists i.e

access-list Inside_Out/Outside_IN permit udp any any eq 500

access-list Inside_Out/Outside_IN permit udp any any eq 4500

access-list Inside_Out/Outside_IN permit tcp any any eq 1000

access-group Inside_Out in interface inside

access-group Outside_IN in interface outside

Assuming the cisco vpn client is configured for NAT transparency ( enabled by default ) -> check from the connection properties->Transport .. then this should allow the IPsec to go through the ASA as UDP 4500 and do the PAT accordingly ..

I hope it helps .. please rate it if it does !!!

0 Helpful

tom.shiba
Level 1
Level 1

‎08-10-2006 11:25 PM

7.0.5 supports multiple ipsec passthrough.

Enhanced IPSEC Inspection

The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.

A new policy-map command inspect ipsec-pass-thru is added to enable this feature.

----------------------------------

Here is what i am using to allow raw ipsec and PPTP passthrough.

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect pptp

inspect ipsec-pass-thru

!

service-policy global_policy global

Customers Also Viewed These Support Documents