Internal User (Wants to VPN to another networ) -- ASA ---

[maynarja]

User ----> ASA -----Internet----HomeVPN Appliance

User wants to VPN from the internal network through the ASA and connect to an external VPN.

User cannot establish the VPN connection

ASA
Added - inpsect ipsec-pass-thru

Still no success

 

[brianinms]

What type of vpn?

 

[maynarja]

A nortel device.

Note this is NOT a site 2 site VPN this is an invidual user that wants to VPN into the Head Office and they are using ASA at there home.

 

[brianinms]

I am confused who has what device. However for a vpn to an ASA you have to have udp 500 and protocol 50 and perhaps 51, and depending on configuration you may need udp 4500.

 

[maynarja]

Nortel VPN Device is at HQ
ASA is at the users home

User wants to create a VPN tunnel but the ASA is causing connection issues.

I thought statefull inspection of ipsec-passthru would create the pinholes


Here is the config at this point:

access-list ipsecacl extended permit udp any any eq isakmp

class-map UDP-ISAKMP
description UDP 500
match access-list ipsecacl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ipsec-pass-thru VPN
parameters
esp per-client-max 10
ah per-client-max 10
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
class UDP-ISAKMP
inspect ipsec-pass-thru VPN
!

 

[brianinms]

I have no experience with a Nortel VPN client, however a Cisco VPN client works flawlessly from behind a base configured ASA.

 

[maynarja]

Well do the settings that you see on the ASA correct for ipsec?

 

[maynarja]

Can anyone validate the config?