We have a strange issue for one of our customers that recently migrated to our internet service.
They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out?
They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute.
UDP OUTSIDE:external ip/4500 INSIDE:192.168.32.157/4500, mac connections
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :