Thanks, Jack,

Your info is very important to me.

Do you know if there's any command to change ISAKMP port to UDP 500 or other? I am sure there's no blocking in my vpn client side because I can make a connection to other vpn servers. On this vpn server side, the ISP is a cable company. Do you have any experience that the ISP blocks the outbound UDP ports? What else reason do you think should be posible?

Thanks again.

according to the posted config, there is an inbound acl named "access-list 111".

access-list 111 permit udp any any eq 4500

further, i believe the acl below is required as well:

access-list 111 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255

Thanks, Jack,

Thank you very much for your reminding.

But even I took off the total acl in e1, it's still not working. It really confused me. The VPN client keep saying the peer is not responding, and from the log window, no receiving message is showing up.

cbac (i.e. ip inspect) has been applied on the e1 interface, so even the acl is removed, the router will not permit the packet.

Thanks, Jack,

You are right. I had tried to remove acl and ip inspet before, but it didn't work, so I neglect this posibility. Do you know how to flush cbac without reboot it? I don't have opportunity to try now. I will let you know the result.

Thanks a lot.

Hi, Jack,

The problem is solved.

Thanks,

Henry

it's good to learn that your issue has been resolved. would you mind share the resolution?

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.