Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Out Cisco 850 Router

Since installing my Cisco 850 Router and setting up the firewall I can not seem to VPN out from a client. Any suggestions?

Thanks,

Greg

Everyone's tags (3)
11 REPLIES
Cisco Employee

Re: VPN Out Cisco 850 Router

Hi Greg,

You can check your firewall rule first, make sure it allows isakmp and esp traffic .

HTH,

Lei Tian

Community Member

Re: VPN Out Cisco 850 Router

From looking at the config file, it appears that it is not. Shamefully I'm not sure how to enable it... Advise?

VIP Super Bronze

Re: VPN Out Cisco 850 Router

Hi Greg,

Here is document showing how to enable it on the ASA firewall using ASDM

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

HTH

Reza

Cisco Employee

Re: VPN Out Cisco 850 Router

The VPN server should have NAT-T enabled so it can detect that VPN Client is behind a NAT/PAT device, therefore uses UDP encapsulated ESP packet for the VPN.

Community Member

Re: VPN Out Cisco 850 Router

I don't get a say in how they have their router configured, so I am going to have to make the changes on my end I enabled the two services on my returning traffice, access list 106, as you can see from the attached configuration log, and still unable to VPN to the host from a client pc. Thanks for your help with this one so far.

Cisco Employee

Re: VPN Out Cisco 850 Router

So you only have control of your 850 Router.

Can you remove the ACL and firewall rules configuration for now and check if the VPN client works?

Community Member

Re: VPN Out Cisco 850 Router

Works great with firewall disabled.

Cisco Employee

Re: VPN Out Cisco 850 Router

Ok, so NAT is not an issue here.

When you say disable firewall, you mean remove " ip access-group 106 in" and "ip inspect SDM_HIGH out"?

I think your ACL 106 is causing the problem; When you start the VPN client, did you see any acl log on the router?

Cisco Employee

Re: VPN Out Cisco 850 Router

Try to add the following access-list:

ip access-list extended 106

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

Community Member

Re: VPN Out Cisco 850 Router

When I say I disabled the firewall, I mean I deleted all rules. I added those udp and esp rules as suggested, with no change. I included the config files for your browsing pleasure incase I have again missed something. Also, as a side question have you seen this router do poor at distributing bandwidth? If I have one computer dowloand at 2500kbps the other computer can't seem to get more than 35kbps.

Cisco Employee

Re: VPN Out Cisco 850 Router

OK, seems like you have changed your access-list as per your last config :-)

Now, access-list 107 is applied to the outside interface.

Please add the following:

ip access-list extended 107

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

BTW, what vpn client are you using? and do you know what ports they use?

1351
Views
0
Helpful
11
Replies
CreatePlease to create content