Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote access vpn ESP problem

I have remote access vpn configured on cisco 2901 router. Everything works good exept ipad 2 3g. When i am connecting with ipad from 3g network it connects but  it is unable to access corporate resources. I talked to my telephone provaider and they told me that they have some nat problems with ESP. and adviced me to force vpn clients to use udp ports 500 and 4500. How i have to configure my router to accomplish this ?

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

Remote access vpn ESP problem

Hello,

Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).

NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.

So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).

So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.

Julio

Do rate all helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
2 REPLIES

Remote access vpn ESP problem

Hello,

Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).

NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.

So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).

So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.

Julio

Do rate all helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Remote access vpn ESP problem

i added this command and everthing works perfect

crypto isakmp nat keepalive 20

thanks for your reply

531
Views
0
Helpful
2
Replies
CreatePlease login to create content