I have used a VPN3030 concentrator since 4 years in a classical way: 1 public interface (for Lan-to-Lan IPSec and remote-acces (NAT-T)connections) and 1 private interface.
I need to connect to an external (not internet) network and offer Remote-access capabilities. Could I use the external interface of my VPN3030 for that purpose ?
Thanks in advance
I got a question for you.
When you said, you need to connect to an external network, what do you mean by that. A device which has a non-routable IP address on its external interface?
Rate it, if this helps.
The external network is a private Wan network used for the data exchange between branch and main offices.
This WAN uses RFC1918.
If the remote users/network can access the Concentrator, then yes, you should be able to give remote access to those users/network.
Rate this post, if it helps!
I'm sorry but, I've tried different configurations but that's still not work.
Actually, when I activate NAT-T, the VPN3030 log shows the add of an implied filter using the physical public interface IP address, even I tick the external interface to act as the public one
Going back to your question - "I need to connect to an external (not internet) network and offer Remote-access capabilities"
I need some explanation in here.
What is the IP address of the concentrator - External IP address (public interface)
When you said connect to an external network - What do you mean by that? L2L to a router from the concentrator or VPN client connections to the concentrator?
Can you ping the concentrator from the device which is trying to connect?
The public interface of the VPN 3030 is linked to Internet to offer L2L and remote-access IPSec connections.
A corporate network exists and I would like to use the available VPN3030 external interface to offer the same services
When the VPN client user tries to terminate IPsec over TCP connection on the external interface of VPN Concentrator, the Concentrator does not accept IPsec over TCP connections on this interface regardless of it is allowed in a filter and sends pack a reset packet.
Try the VPN client connection with IPsec over User Datagram Protocol (UDP), which works on the external interface.
Let me know how it goes.
Sorry for the delay.
You're right: VPN3030 can receive IPSec over UDP connections on the external interface simultaneously with a IPsec ovec TCP connection.
Thank you for your help.
Please confirm the following :
1. The External Interface is marked 'Public'.
2. It has the Public filter enabled.
3. Try to connect and if it does not connect then do the following :
a. Goto Configuration -> System -> Events -> Classes and make sure that the following classes are enabled with severity 1-13 :
IKE, IKEDBG, IPSEC, IPSECDBG
b. Goto Monitoring -> Filterable Event Logs and clear the logs.
c. Try to establish the tunnel and go back to Monitoring -> Filterable Event Logs. Obtain the logs and send to us.
Please rate if it helps.
Now, It's a fact: IPsec over TCP can only be established on the only one "public" marked interface of the VPN3xxx.
Then, I will investigate on the ASA5xxx capabilities.
thank for your help.