03-22-2012 03:41 AM - edited 02-21-2020 05:58 PM
Hi all,
We are setting up a new VPN from an ASA to a cisco 2801 router (behind a third parties checkpoint firewall). We seem to be almost there with the setup but the tunnel is not working correctly. PREVIOUS CONTENT REMOVED
03-22-2012 06:26 AM
crypto isakmp key ########### address 212.24.93.25 no-xauth
access-list 121 permit udp any any eq 500
access-list 121 permit udp any any eq 4500
access-list 121 permit esp any any
If you don't want to use UDP 4500 (NAT-T), I suggest that you disable on your router:
no crypto ipsec nat-tranns udp-encapsulation
This will disable NAT-T and force the router to use ESP.
do you also udp 500, udp 4500 and ESP traffics across the CP firewall in both direction? Please provide "uname -a" and "fw ver" output of Checkpoint firewall?
03-22-2012 07:00 AM
Hi,
Unfortunately I do not have any control over the Checkpoint firewall, all I know is that all ports are open for our ASA.
We have however managed to get a workaround for now by removing the "ip access-group 121 in" from the Fa0/0 interface!!
As far as I can see the ACL (121) is correct so do not understand why this has worked???
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: