From: Andrew Larkins (Andrew.Larkins@btgroup.co.za)
Date: Sun Feb 03 2008 - 06:29:09 ARST
Thanks,
But I am able to VPN successfully using UDP but not TCP so that already
proves the config for the pool. It is only when I enable IPSec over TCP
on default port 10000 that no data passes. I get an IP address and see
packets being encrypted but nothing comes back...
Andrew
-----Original Message-----
From: mdestienne@yahoo.com [mailto:mdestienne@yahoo.com]
Sent: 01 February 2008 14:59 PM
To: Andrew Larkins; ccielab@groupstudy.com; cisco@groupstudy.com;
security@groupstudy.com
Subject: Re: VPN - IPSec over TCP on PIX vs ASA - both ver 8.03 -
strange problem only working on PIX and not ASA - UDP works on both!
The first thing comes to mind is the only difference between your
configs, the dhcp pool. Verify that your inside network has a path to
your asa vpn pool.
-----Original Message-----
From: "Andrew Larkins" <Andrew.Larkins@btgroup.co.za>
Date: Fri, 1 Feb 2008 10:19:06
To:<ccielab@groupstudy.com>, <cisco@groupstudy.com>,
<security@groupstudy.com>
Subject: VPN - IPSec over TCP on PIX vs ASA - both ver 8.03 - strange
problem only working on PIX and not ASA - UDP works on both!
Good day all,
I have a full working remote access VPN on both firewalls (PIX515E and
ASA5540). ASA is replacing the PIX at a new location.
Bother work perfectly with IPSec over UDP (nat-traversal UDP 4500) and
only the PIX515E works with TCP 10000. I can however connect the VPN up
& authenticate successfully on the ASA using IPSec over TCP, but I am
absolutely unable to pass any data through the tunnel. Change the
profile back to IPSec over UDP and it works perfectly.
My understanding here is that short of the IPSec setup to establish the
tunnel, all configuration is the same. If the port was blocked somewhere
the VPN would never connect
Any reason's you can think of why this does not work before I log the
case on TAC? Any pointers on where to look further? Again, the ASA and
PIX are identical in config (all aspects) & software except to local IP
pool being different so I can test parallel and being different hardware
platforms
Regards
Andrew
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient
is prohibited. If you received this in error, please contact the sender
and
delete the material from any system and destroy any copies.
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended recipient
is prohibited. If you received this in error, please contact the sender and
delete the material from any system and destroy any copies.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:47 ARST