Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3885
Views
0
Helpful
2
Replies

IPSec VPN not working

Tim Hamblin
Level 1
Level 1

‎03-22-2012 03:41 AM - edited ‎02-21-2020 05:58 PM

Hi all,

 

We are setting up a new VPN from an ASA to a cisco 2801 router (behind a third parties checkpoint firewall).  We seem to be almost there with the setup but the tunnel is not working correctly. PREVIOUS CONTENT REMOVED

Labels:
0 Helpful
2 Replies 2

david.tran
Level 4
Level 4

‎03-22-2012 06:26 AM

crypto isakmp key ########### address 212.24.93.25 no-xauth

access-list 121 permit udp any any eq 500

access-list 121 permit udp any any eq 4500

access-list 121 permit esp any any

If you don't want to use UDP 4500 (NAT-T), I suggest that you disable on your router:

no crypto ipsec nat-tranns udp-encapsulation

This will disable NAT-T and force the router to use ESP.

do you also udp 500, udp 4500 and ESP traffics across the CP firewall in both direction?  Please provide "uname -a" and "fw ver" output of Checkpoint firewall?

0 Helpful

Tim Hamblin
Level 1
Level 1
In response to david.tran

‎03-22-2012 07:00 AM

Hi,

Unfortunately I do not have any control over the Checkpoint firewall, all I know is that all ports are open for our ASA.

We have however managed to get a workaround for now by removing the "ip access-group 121 in" from the Fa0/0 interface!!

As far as I can see the ACL  (121) is correct so do not understand why this has worked???

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents