10-14-2009 05:17 AM
folks
i'm trying to allow a vpn from a client on my internal network to an external server in a third party
i have 2 rules allowing udp from source to destination & destination to source
i can see hits UDP 500 & UDP 4500 on the internal list but nothing on the external acl
when i capture i can see traffic from the destination hitting the asa external interface but there is nothing in the logs
i've tried the sysopt connection permit-vpn command but still nothing and i can't find a document on allowing a vpn through an ASA
can anyone help
thanks to anyone taking the time to read this
greatly appreciated
10-14-2009 05:59 AM
Do you have NAT-T configured on the ASA?
10-14-2009 10:51 AM
Hi,
Judging from the ports in use the client is using NAT-T. As for seeing hits on the outside ACL I wouldn't expect you would. The clients return traffic would be automatically allowed (that is the purpose of a stateful firewall). The only time you would need an entry in the ACL permitting outside inbound is if the outside initiates the traffic. Which seeing as its a VPN client in use it wont be :) does that make sense?
If the VPN client is still not working it could be something else. Is it just a standard IPsec VPN? Are you able to obtain a packet capture on the clients laptop and post it?
Regards
Mike
10-14-2009 11:48 AM
mike
many thanks for your reply
i've been reaching a similiar conclusion in the past hour or so
unfortunately i can't get a capture on the client as its locked down and i can't get admin rights
as a test i've setup a vpn on my own laptop to the same destination ip with a dummy username and password
i can actually see a return packet from the vpn concentrator so it looks like traffic is making its way from host-concentrator-host
the real host is behind another firewall so tomorrow i'll put my laptop and capture there
i've test the real host from behind a broadband line and it works so i'm wondering it nats are an issue
grateful for your thoughts
thanks
10-14-2009 12:14 PM
No problem,
As mentioned they same to be communicating using NAT-T based on the port 4500 so they shouldn't have a problem with communicating through NAT devices.
If you do not have any luck tomorrow and are able to get some logs from the client or packet capture somewhere along the line (connect to a hub between the client and switchport and run wireshark or similar??) then post them here and I shall take a look!
Best of luck
Mike
10-14-2009 12:20 PM
mike
wildo
many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide