Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
0
Helpful
4
Replies

Using ASDM DMI on a CISCO router to configure the firewall, do I need to create an allow rule for VPN?

chrisreed
Level 1
Level 1

‎08-12-2016 10:40 PM

Or does configuring the VPN (Any Connect) and clients automatically get though the router and does not need a specific rule to allow?

Thanks!

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎08-14-2016 01:53 PM

There is no ASDM for Cisco Routers, but you could use Configuration Professional (Express) instead. 

On Routers you need to allow incoming VPN packets. That could be:

  • TCP/443 and UDP/443 for SSL/TLS based VPNs
  • IP/50, UDP/500 and UDP/4500 for IPsec based VPNs
0 Helpful

chrisreed
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2016 06:26 PM

Good point. That was a cavalier use of terms.

The device is actually a CISCO ASA 5505. I am quite new to this product and software, but I have managed to get into ASDM DMI and look around at things. Most things are default and inherited. The customer claims VPN worked, then they had someone change some firewall rules. They did not need VPN for a while after that and now VPN fails. I can use Anyconnect to get to the external IP of the firewall but then I get "File not found". but I am hoping the ASA will prompt a web based user to download the client. If I manually install the client and then try to connect it says User is not authorized. I have all the CFGs and would be really grateful for any help and advice. Not sure what is safe to post here or what is needed to diagnose. Still wondering if I need a special rule for VPN in firewall rules, or if VPN gets around firewall rules.

Thanks a lot!

Chris

0 Helpful

Karsten Iwen
VIP
VIP
In response to chrisreed

‎08-14-2016 11:36 PM

Ok, with the ASA you don't need to allow the VPN traffic on the outside interface.

As you already saw, you need to install an AC image to the ASA. If your users get an authorization-error, first check if there is an IP-pool applied to your connection-profile.

And look at the logs of Anyconnect and the ASA what kind of error is displayed.

0 Helpful

chrisreed
Level 1
Level 1
In response to Karsten Iwen

‎08-16-2016 09:19 AM

Still learning this device and spent two hours last night. I will confirm that I have the IP-pool assigned next time I am in the server room. Thanks for that suggestion. I found the log entries for the failed attempts past night and they are saying not authroized. I tried updating the Dynamic Access Policy because that is the log line that things fail on. I edited that existing DAP and I created a new DAP and confirmed that the new DAP was used in the logs, but getting the same error. Client gets to enter username and password after selecting the Connection Profile from the AC drop down, but it comes back right away saying: User not authorized and to contact the administrator. The only thing it says in the ASDM log is that they user has the DAP applied and then it says remote connection terminated. Will capture the full section of the logs next time I am in the server room.

Thanks again!

Chris

0 Helpful
Customers Also Viewed These Support Documents