08-04-2022 03:12 AM
My apologies but I am not well versed with CISCO configuration. I only know the basic stuff like checking config settings and other stuff.
I need help regarding our office firewall. Unfortunately, as per CISCO TAC, our device no longer have a support warranty.
Our issue is regarding the Easy VPN Client. It used to work however our ISP changed their router since we have a new business package with them. The Internet is working however our VPN connection is not. Tunel is up but there is no traffic and I couldn't figure out how to solve the issue. I tried reading posts related to the issue but nothing helps. I did not do any configuration from the ASA and the only thing ISP did I enable the DMZ from their side. Attached are the show tech and nat details (if that helps) for anyone who can help me check and advise what I need to do. Again I have little to no knowledge of CISCO nor trained as CCNA. I just learned the basics through reading the manuals.
Thank you in advance.
08-04-2022 03:18 AM
can you draw the topology
08-04-2022 03:29 AM
08-04-2022 05:28 AM
Check with your ISP - by default their router needs to allow certain incoming traffic to your ASA. For Easy VPN, those ports are as follows:
ISAKMP - UDP 500
ESP - Protocol 50
NAT-T - UDP 4500
IPSEC Over UDP - UDP 10000 (Default)
IPSEC Over TCP - TCP 10000 (Default)
08-04-2022 05:43 AM
Hi,
I did that part already and even now ISP already enabled DMZ from their router.
08-04-2022 06:01 AM
ISP router have OUT get IP dynamic via DHCP
EasyVPN client router need static Peer IP to work, here the IP always change.
how check this point
in EasyVPN config Peer IP as shown in ISP OUT dhcp IP and check.
NOTE:- in ISP you need
NAT from OUT DHCP IP to OUT of ASA FW
for 50,500,4500 UDP ports
08-04-2022 06:19 AM
08-04-2022 06:23 AM
NO static is OK.
now in ISP can I see NAT and ACL for IPsec ?
08-04-2022 10:25 PM
Hi, not sure how to do that. Can I get it through CLI command?
08-05-2022 03:41 AM
one the ISP are you config NAT for 50,500,4500 and do you config ACL to accept the IPSec initiate traffic?
08-05-2022 04:04 AM
Yes. We did that too. Also as of the moment, we have the DMZ enabled from ISP to make everything open. Still we have the issue. There is a tunnel but no traffic.
08-05-2022 04:45 AM
OK can you help me here,
share the Router EasyVPN config
share the ISP router config
share the ASA config
separately one file for each device.
note:- hide the Public IP from the config
08-07-2022 11:26 PM
08-09-2022 05:07 AM - edited 08-09-2022 05:33 AM
THE ISP router must check, One Router behind NAT device (ISP)
the NAT device will NATing all IPSec & ISAKMP to it Interface
EasyVPN must config with set peer the IP address of ISP not the IP address of ASA
the ISP must NATing both 4500 & 500
the ISP must allow traffic for 4500 & 500 since the traffic ALWAYS initiate from EasyVPN not from ASA.
in your network there are three part
1-EasyVPN ( is this router or ASA ?? ) SHARE CONFIG
2-ISP router CHECK NOTE ABOVE
3-ASA (HQ FW) SHARE CONFIG
am I right
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide