I was wondering if someone could answer this question. Our Vendor who installed our Firewall and Concentrator can't seem to get the Concenctrator to connect from the outside at all. He put the concentrator on the DMZ of the firewall. He also used the public and private interface and not the external. Should the Concentrator be put on the internal side of the firewall?
Ine thing that I see is the PIX still has the Crypto config on it with the Crypto map applied on it. Kindly remove that config if you are trying to terminate the clients on the Concentrator now. Additionally, make sure that whatever the IP addresses you assign the clients (lets say 10.17.123.x) on the CVPN3000 that the inside machines will point to the inside of the CVPN3000 for that network rather then PIX. Also if you are using IPSec/NAT then open up the udp port 10,000 aswell as thats used for the IPSec/udp port rather then the port 1000 open at this time.
If this doesn't work then go ahead and open up a TAC case with all the config's for them to troubleshoot by running debugs on the CVPN3000 and PIX.
can't authenticate? has the username/password prompt come up at all? anyway, i totally agree with the previous post to permit udp 10000. i would as well permit udp 4500. in case you still not sure if the access-list is blocking any related traffic, then do the following for test
access-l acl-out permit ip any host x.x.x.152
it sounds like your vendor hasn't got much experience on concentrator. here is another advice. you will need a router on your local lan that acts as the default gateway.
i believe the default route on inside host is the pix inside interface, right? for example, if the remote client pool on the concentrator is 192.168.1.0. then you will have to put a static route on the router as belows:
ip route 0.0.0.0 0.0.0.0
ip route 192.168.1.0 255.255.255.0
otherwise you won't be able to access anything as the pix hasn't got the route to 192.168.1.0.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...