Solved: Re: VPN client with PUBLIC IP

baxta2712 · ‎08-12-2012

Hi Could anyone help me? there is a VPN client PC with Public IP address (without NAT router), it can connect to EZVPN server and recive reoutes but traffic is not passing,

Ton V Engelen · ‎08-16-2012

Yes

set Transport to TCP on the client side, with f.i. tcp port 10000, and make sure the VPN box can talk tcp over 10000 too.

If a client has a public ip, it will succesfully setup a VPN, but can not acces anything over UDP with NAT T.

if you setup transport over tcp, it will.

View solution in original post

Ton V Engelen · ‎08-16-2012

Hi

i work with the ASA and i never worked with ezvpn.

But i looked it up and its something like:

crypto ctcp port 10000

Good luck

View solution in original post

Jennifer Halim · ‎08-12-2012

pls share the configuration of the VPN server, and advise which group you are connecting with.

baxta2712 · ‎08-12-2012

!

crypto isakmp client configuration group VPN1

key XXXX

pool LAN2

acl SPLIT

save-password

!

crypto ipsec transform-set evpnts esp-aes esp-md5-hmac

crypto ipsec transform-set sms esp-3des esp-sha-hmac

crypto ipsec transform-set SPD esp-aes 256 esp-sha-hmac

!

crypto dynamic-map emap 1

set transform-set evpnts

reverse-route

!

crypto map dynmap client authentication list userauth

crypto map dynmap isakmp authorization list groupauthor

crypto map dynmap client configuration address respond

crypto map dynmap 20 ipsec-isakmp

set peer XXXXXX

set transform-set sms

match address SMS

crypto map dynmap 30 ipsec-isakmp

set peer XXXXXX

set security-association lifetime seconds 7200

set transform-set SPD

set pfs group5

match address SPD

crypto map dynmap 65535 ipsec-isakmp dynamic emap

!

interface GigabitEthernet0/1.2145

description ::XXXXX::

encapsulation dot1Q 2145

ip address XXXXXX

ip access-group WAN_ACL in

ip access-group PRIVATE out

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

crypto map dynmap

!

Keep in minde that behind NAT client works just fine

baxta2712 · ‎08-15-2012

Any Idea?

Ton V Engelen · ‎08-16-2012

Yes

set Transport to TCP on the client side, with f.i. tcp port 10000, and make sure the VPN box can talk tcp over 10000 too.

If a client has a public ip, it will succesfully setup a VPN, but can not acces anything over UDP with NAT T.

if you setup transport over tcp, it will.

baxta2712 · ‎08-16-2012

I have done this but, than VPN client cannot even connect

Ip access-list extended WAN_ACL

10 permit udp host X.X.X.X host X.X.X.X (287276145 matches)

20 permit ip host X.X.X.X host X.X.X.X log (1392 matches)

25 permit tcp any host X.X.X.X eq 3389 (713 matches)

30 permit tcp host X.X.X.X eq 3389 host X.X.X.X eq 3389

35 permit tcp any host X.X.X.X eq 10000 (16 matches)

40 permit udp host X.X.X.X host X.X.X.X gt 5059 log

50 permit udp host x.x.x.x host X.X. gt 5059 log

60 deny udp any host X.X.X.X range 5060 5090 log (404 matches)

70 permit tcp any eq 9000 host X.X.X.X eq 9000

Ton V Engelen · ‎08-16-2012

Hi

did you configure EZVPN for tcp? take a look at:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b3ed2c.shtml

Plus, is there a firewall between the VPN box and the client? Make sure tcp 10000 is allowed between client and VPN box.

baxta2712 · ‎08-16-2012

Do you Know how to configure it with CLI?

Ton V Engelen · ‎08-16-2012

Hi

i work with the ASA and i never worked with ezvpn.

But i looked it up and its something like:

crypto ctcp port 10000

Good luck

Ton V Engelen · ‎08-16-2012

Check for your firmware version too for this command

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b3ed2c.shtml