Ive setup my ASA with Nat to the external world. All services including SMTP and Web work just fine. I just have a problem with CISCO VPN clients connecting from my network. Internet services are provided by an ISA server which is inside the ASA.
I have some visiting consultants who wish to connect to their own corporate network and fail to do so unless I give them a public IP. Do I need a fixup? I tried the "sysopt connection permit-ipsec" command as opposed to an ACL , but i guess that is only for when setting up VPN on the ASA itself. I have enabled "Inspect PPTP" which is allowing my Windows VPN to work ( go through). Its just my Cisco VPN client that is getting blocked I believe.. probably cuz of L2TP... I dont believe there is an "Inspect L2TP" command. Kindly advise ...
Hi .. you can try allowing UDP port 4500 on your inside and outside access-lists i.e
access-list Inside_Out/Outside_IN permit udp any any eq 500
access-list Inside_Out/Outside_IN permit udp any any eq 4500
access-list Inside_Out/Outside_IN permit tcp any any eq 1000
access-group Inside_Out in interface inside
access-group Outside_IN in interface outside
Assuming the cisco vpn client is configured for NAT transparency ( enabled by default ) -> check from the connection properties->Transport .. then this should allow the IPsec to go through the ASA as UDP 4500 and do the PAT accordingly ..
The ability to open specific pinholes for ESP flows based on existence of an IKE flow is provided by the enhanced IPSec inspect feature. This feature can be configured within the MPF infrastructure along with other inspects. The idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is no maximum limit on number of ESP flows that can be allowed.
A new policy-map command inspect ipsec-pass-thru is added to enable this feature.
Here is what i am using to allow raw ipsec and PPTP passthrough.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...