cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
3
Replies

ASA 5520 VPN to Outside Interface

ciscoisist
Level 1
Level 1

I'm unsure how to describe this one, but I'll definitely try.

I have a 5520 VPN that is otherwise correctly configured for access (so I would say).  It is in test (external IP x.x.x.10/22) running parallel on an external switch to a Check Point (x.x.x.4/22) that is the live setup.

I can tunnel consistently to the outside interface on its external IP from inside the network, which is probably natural since I'm inside the network making the attempt; however...

When attempting connection from somewhere outside the network, I generally do not get response from the device.  If I connect/disconnect from the Check Point VPN first, then I can subsequently get a connection to the ASA.  I did actually have one instance of non-massaged connectivity to the ASA, but there was nothing that I did in the configs that would allow me to claim credit for that instance.

So here's the question:  Is there a timeout setting that makes the outside interface go to sleep or something?  I'm still at the developmental stage where settings that would be obvious trip me up for hours.  I verified the routes.  the timeout configs are below; I believe they are all default..

Thanks in advance for all assistance.

arp timeout 14400

!

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

I am assuming that you are trying to connect on double VPN to both Check Point VPN and ASA VPN at the same time.

This is not a supported setup. You need to explicitly connect to Check Point VPN, or ASA VPN, not both at the same time.

BTW, which VPN have you configured on the ASA?

Thanks for responding, Jennifer.

I am actually attempting connection to either VPN one at a time.  This is the process that I am using.

1. Attempt connection to the Cisco VPN.  It will not make connection and eventually times out in attempt.

2. Connect to the Check Point VPN to verify connectivity at all.  I'll ssh to the ASA appliance while on the Check Point VPN to verify it is up.

3. Disconnect from the Check Point VPN.

4. Attempt connection to the Cisco VPN.  At this point, it will connect as if nothing was ever wrong.

The ASA is configured as a Remote Access VPN.

Thanks,

Shaun

A lot of the times, there might be conflict when you have 2 different vendors' VPN client installed on the same host.

What version of Check Point VPN client do you have, and what is the Cisco VPN Client version?