Device behind a Firewall other, ASA VPN

I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet.  Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

Topology:

Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN.  Inside = 192.168.254.1 outside = public IP address.

Configured on the VPN / ASA, ASA standard SSL Remote Access.

When I hit the NAT public IP address, nothing happens.  I've run packet - trace on the FW outside, and everything seems good.

Someone at - it a sampling plan / config for a similar topology?     Internet > ASA/FW > dmz-leg > ASA/VPN

Thanks in advance,
Bob

Can share you your NAT and routing configuration? Of these two ASAs

Tags: Cisco Security

Similar Questions

  • It is possible to configure router CISCO1921/K9 from site to Site vpn behind a firewall?

    I am looking to buy CISCO1921/K9 to configure vpn site to site with Amazon VPN. We are behind a firewall. I try to install the new CISCO1921/K9 router according to the scheme of quick text below. My setup work? and what are the ports will it transfer to my firewall?

    INTERNET--> Modem to ISP---> firewall - CISCO1921/K9

    Hi Paul,.

    (192.168.1.0/24) - router (10.1.1.1)-(10.1.1.2) firewall(81.92.61.x/27)---Internet

    The configuration is very simple...

    1. There will be no modifications on the configuration of the VPN router with the exception that the interface of the router (turning to the firewall) will be to have private IP 10.1.1.1

    2. you will need to take a public IP of your range of public (e.g. 81.92.61.2) and will share the same to your remote location which they set up as peers IP to their end.

    3. now you have to configure 2 NAT type on your firewall.

    NAT source:-when your router will initiate VPN

    Before NAT: Destination - Source 10.1.1.1-(homologous remote IP)

    After NAT: Destination - Source 81.92.61.2-(homologous remote IP)

    Destination NAT:-when the remote location will launch the VPN

    before NAT: Destination - Source (remote peer IP)-(81.92.61.2)

    After NAT: Destination - Source (remote peer IP)-(10.1.1.1)

    I hope this is clear :)

  • What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

    Hi all

    Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

    You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.

    Michael

    Please note all useful posts

  • Will be - this safe to use XP behind a firewall after the end of LIFE?

    I have a netbook that I use as an external 1 TB NAS with a hard drive device on my LAN.  I use it also for connection of MagicJack.  I have a firewall in my router and the only thing that that accesses this machine online is updated antivirus and places / receives calls from Magic Jack.  I don't respect the minimum specifications for Windows 7.

    If I keep this machine behind the firewall and prevent web access, it will be safe to stay with XP after the end of life?  MagicJack is a security breach?  My only other option is to switch to a Linux distribution, but I need to configure to run on a Windows network and it seems that you have to do back flips to get the MagicJack to work on Linux.
    Any advice will be appreciated.

    End of the security updates is something much more...

    antivirus support, but again, you are not protected completely...

  • New ASA/VPN configuration

    So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.

    All I want this new ASA to do is handle my site anyconnect VPN connections.  I'm pretty new to ASAs if any help would be great.  I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.

    My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN?  ACLs are used for VPN traffic and do I need them to traffic the route via VPN?

    I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.

    Thank you

    I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.

    You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.

    When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.

    Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.

  • ASA Vpn load balancing and failover

    Hi all.

    We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

    Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

    Thank you

    Daniele

    Hi Daniele,

    You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

    Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

    ASA1 (active FO) - ASA2 (TF Standby)

    (VPN virtual master)

    |

    |

    |

    |

    (Backup VPN device)

    ASA3 (active FO) - ASA4 (TF Standby)

    Kind regards

    Wajih

  • ASA ASA VPN remote access

    This is my first post on this site. Hi all!

    I have not really set up ASAs or VPN on Cisco devices before. Currently, I'm trying to configure a dial-up VPN between ASA devices, a 5505 and a 5510. The 5510 is supposed to be the server and the 5505 is supposed to be the easyvpn customer. The reason why I'm opting for remote access instead of site to site is that I much 5505 s on the remote I need to set up in the future, and they will be moving around a bit (I prefer not to have to follow the configs to site to site). The 5510 is not mobile. The ASA devices are able to ping to 8.8.8.8 as ping each other in the face of public IP address.

    Neither SAA can ping IP private of other ASA (this part makes sense), and I am unable to SSH from a client on the side 5510 for internal interface (192) of the 5505. I wonder if someone more experienced in the remote VPN ASA than me is able to see something wrong with my setup? I glued sterilized configs of two ASAs below.

    Thanks a lot for any assistance!

    ASA 5510 (server)

    ASA Version 8.0 (4)

    !

    hostname ASA5510

    domain name

    activate the password encrypted

    passwd encrypted

    names of

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP 48.110.3.220 255.255.255.192

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP 192.168.191.252 255.255.252.0

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    passive FTP mode

    DNS server-group DefaultDNS

    domain name

    permit same-security-traffic intra-interface

    permit NONAT_VPN to access extended list ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

    VPN_REMOTE_IPS note EZ VPN REMOTE IP access-list VARIES

    permit VPN_REMOTE_IPS to access extended list ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 613.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside) 0-list of access NONAT_VPN

    Route outside 0.0.0.0 0.0.0.0 48.110.3.193 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.0.0 255.255.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-aes-192 TestVPN, esp-sha-hmac

    86400 seconds, duration of life crypto ipsec security association

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map DYNAMIC - map 5 game of transformation-TestVPN

    86400 seconds, crypto dynamic-card DYNAMIC-map 5 the duration value of security-association

    cryptographic kilobytes 4608000 life of the set - the association of the DYNAMICS-Dynamics-card card 5 security

    outside_map card crypto 86400 seconds, 1 lifetime of security association set

    card crypto outside_map 1 set security-association life kilobytes 4608000

    card crypto S2S - VPN 100 set security-association second life 86400

    card crypto S2S - VPN 100 set security-association kilobytes of life 4608000

    card crypto OUTSIDE_MAP 65530-isakmp ipsec DYNAMIC-map Dynamics

    OUTSIDE_MAP interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 1

    SSH 192.168.0.0 255.255.0.0 inside

    SSH timeout 15

    Console timeout 30

    management-access inside

    priority-queue outdoors

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    internal EZVPN_GP group policy

    EZVPN_GP group policy attributes

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list VPN_REMOTE_IPS

    allow to NEM

    username password encrypted privilege 3

    username password encrypted privilege 15

    type tunnel-group EZVPN_TUNNEL remote access

    attributes global-tunnel-group EZVPN_TUNNEL

    Group Policy - by default-EZVPN_GP

    IPSec-attributes tunnel-group EZVPN_TUNNEL

    pre-shared key

    !

    class-map inspection_default

    match default-inspection-traffic

    VOICE-CLASS class-map

    match dscp ef

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map PRIORITY_POLICY

    class CLASS VOICE

    priority

    matches of the QOS-TRAFFIC-OUT strategies

    class class by default

    average of form 154088000

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:10156ad7ab988ae7ed66c4b6d0b4712e

    : end

    ASA 5505 (Client)

    ASA Version 8.2 (5)

    !

    ASA5505 hostname

    activate the password encrypted

    passwd encrypted

    names of

    !

    interface Ethernet0/0

    !

    interface Ethernet0/1

    switchport access vlan 2

    !

    interface Ethernet0/2

    Shutdown

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    Shutdown

    !

    interface Ethernet0/5

    Shutdown

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    Shutdown

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.19.1 255.255.255.192

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 174.161.76.217 255.255.255.248

    !

    passive FTP mode

    pager lines 24

    Within 1500 MTU

    Outside 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Route outside 0.0.0.0 0.0.0.0 174.161.76.222 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.0.0 255.255.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    Telnet timeout 5

    SSH 192.168.0.0 255.255.0.0 inside

    SSH 48.110.3.220 255.255.255.255 outside

    SSH timeout 5

    Console timeout 0

    management-access inside

    vpnclient Server 48.110.3.220

    vpnclient mode network-extension-mode

    vpnclient EZVPN_TUNNEL vpngroup password

    vpnclient username password

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    username password encrypted privilege 15

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    destination http address

    https://Tools.Cisco.com/its/service/odd... DCEService

    email address of destination

    [email protected] / * /.

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:bd465cea07c060a409a2eade03b487dc

    : end

    Please follow this link to create a dynamic L2L Remote Server on ASA5510.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    Here is a link for you to create the Site to Site vpn tunnel and the tunnel can be customer above tunnel dynamic L2L Server.

    http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

    Hope that helps.

    If you have any questions, please ask.

    Thank you

    Rizwan James

  • My ipad 16Gig air 2 is short-term memory or space. iTunes indicates that on 6gig space on my device is occupied by "others". What are these other?

    My ipad 16Gig air 2 is short-term memory or space. iTunes indicates that on 6gig space on my device is occupied by "others". What are these other?

    Another seems to be a combination of things left behind by failed sync events, private data app which is not recorded elsewhere, and who knows what else. It tends to grow over time. The following steps should decrease. They assume that all the content you want on the device in your lending library for the restoration. If not see recover your iTunes from your iPod or an iOS device first. I would also recommend you copy everything off of the camera, if you have not already.

    1. Backup device.
    2. Restoration as a new device.
    3. Restore the backup that you made earlier.

    Use a backup encrypted if you want to keep passwords, wi - fi settings, history and health web data as appropriate.

    TT2

  • ASA VPN with Fortgate

    Hello people!

    I still have the problem with VPN... Laughing out loud

    I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    But if I ask the other peer to change in Group 2, the msg in the SAA is:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

    Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
    [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

    The show isakmp his:

    9 counterpart IKE: 179.124.32.181
    Type: user role: answering machine
    Generate a new key: no State: MM_WAIT_MSG3

    I have delete and creat VPN 3 x and the same error occurs.

    Everyone has seen this kind of problem?

    Is it using Fortigate version 5 by chance?

    I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

    The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

    Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

    Try on the side of the ASA:

    debug crypto isakmp 7
    You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

  • ACS 4.0 behind a firewall

    Hi, we have an ACS 4.0 behind a firewall...

    I want to know what are the ports that must be open beyond 2002 to end of remote connection... ?

    Any idea... ?

    Hello

    ACS is accessible via tcp, 2002, for the initial connection. For subsequent access (moving from one page to the other), it will be used at random ports 2003 or higher (tcp).

    To access this box remotely, you must open a range of ports, for example-> 3500 2002 or 2002-> 5000. PLS, be careful when you specify the range, as too many ports allowed ports COULD present a risk to your ACS server.

    example:

    list of access outside the range of allowed hosts 2002 5000 tcp

    Hope this helps.

    Rgds,

    AK

  • ASA VPN - allow user based on LDAP Group

    Hello friends

    I have create a configuration to allow connection based on LDAP Group.

    I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

    http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Anyone know how I can do?

    Thank you

    Marcio

    I like to use the Protocol DAP (dynamic access policies) to control this.  Follow this guide:

    https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

  • ASA VPN configuration

    Hello

    I set up a VPN site-to site on a SAA, to the other site there is a Watchguard firewall.  The VPN has not been established. I have not implemented of isakmp and ipsec sessions. Here I have the config I use, anyone can see if I'm missing something, its my first VPN using the command line

    object-group network SITEA
    10.57.254.0 subnet 255.255.255.0

    object-group network SITEB
    OBJECT-NETWORK 10.254.10.0 255.255.255.0

    Crypto ikev1 allow outside

    VPN_TRAFFIC_ALLOWED list extended access allowed object-group ip SITEA SITEB object-group

    NAT (inside, outside) static source SITEA SITEB static destination SITEA SITEB

    tunnel-group X.X.X.X type ipsec-l2l
    tunnel-group ipsec-attributes X.X.X.X
    pre-shared key X.X.X.X
    output

    IKEv1 crypto policy 10
    preshared authentication
    AES 256 encryption
    sha hash
    lifetime 28800

    Crypto ipsec transform-set ikev1 TS-ESP-AES-SHA esp-aes-256 esp-sha-hmac

    crypto map outside_map 1 corresponds to the address VPN_TRAFFIC_ALLOWED
    card crypto outside_map 1 set of peer X.X.X.X
    card crypto outside_map 1 set transform-set TS-ESP-AES-SHA ikev1
    1 outside crypto map outside_map interface

    Hello.

    Please fix the NAT 0 with this line:

    nat source (indoor, outdoor) static SITEA SITEA SITEB SITEB static destination non-proxy-arp-route search

    If you're still having problems to send me the result of:

    entry Packet-trace within the icmp 10.57.254.10 8 10.254.10.10 detailed 0.

    Kind regards

  • ASDM conc (ASA) VPN access

    I have the script like this:

    an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

    This sets up on the conc VPN:

    management-access inside
    

    After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
    

    hth
    
    Herbert
    
    (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )

  • ASA VPN IPSec: MTU or CFG error Question?

    Hello

    I have a strange problem... If I created a tunnel IPSec the ASA vs, it goes up but doesn't work if the package + / less 150 bytes... case of exceeded the size of the packets, the ASA didn't send to client IPSec; The size is related to the type of configured tunnels:

    VPNclient Installer ping-f-l xxx
    IPSec over TCP 152
    IPSEC over UDP 123
    No transportation Tunnelling 115

    Debug icmp report always ping request and response but with packet sniffing on vlan outside don't see a response packet when I try with higher values than those appearing:

    ping 'small':
    
    22   3.748396   x.x.x.x   192.168.y.y   ESP   ESP  (SPI=0x7106d9e3) <- ping request
    
    23   3.748884   192.168.y.y   x.x.x.x  ESP   ESP (SPI=0x05d0db4a) <- ping reply
    

    ping 'big':
    
    27   2.981950   x.x.x.x   192.168.y.y   ESP   ESP(SPI=0x7106d9e3) <- ping request missing ping reply!

    The problem occurs with any Protocol (TCP, UDP, ICMP) and checking the configuration with other ASA found no differences.

    The SAA is a 5505 with fw 8.0 (4) and IPSec microcode CNlite-MC-IPSECm-HAND-2, 05.

    Thank you

    Arturo.

    This is much like the following bug:

    CSCsu26649    Big packages removed with enable configured ip-comp

    Can you confirm that you have 'enable ip-comp' in your config vpn file? If so, that que desactiver turn off and you should be ok.

    Better yet, go to 8.0 (5).

    HTH

    Herbert

  • Configure the firewall to allow VPN connections to a remote site

    Hi all

    I do a lot of how to configure VPN servers, so please bear with me if I explain a bit wrong!

    If all goes well a quick question, I am trying to connect a VPN client that is located behind a firewall at a remote PIX server using RADIUS authentication. I am able to ping remote IP of VPN server, but cannot connect - errors are "peer remote unresponsive" for UDP and "has not established TCP connection" for TCP.

    Topology of the short...

    Local PC, fixed IP 192.x.x.1, using VPN Client 4.0.3

    Connect through firewall type unknown to the Internet

    This firewall has outgoing ping enabled, and temporarily all UDP and TCP ports open for pc local ip above fixed.

    VPN client configured with access to the group, and I tried to use UDP and TCP, with and without transparent tunnel.

    Does anyone have any suggestions as to why the connection cannot be made even if the IP of the target can be crazy?

    Thanks in advance,

    Dave.

    Please see the latest posts by Dave and myself.

    Let me know if they help.

Maybe you are looking for