This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet Filtering Rule for outbound Cisco VPN

I am looking for some help in setting up a rule to allow the Cisco VPN client to connect to remote sites. We have a few customers that require us to connect to their network through the Cisco VPN client. I have added a rule to allow IPsec traffic from the internal network to the external interface, but we still cannot connect. Any ideas?

Internal (Network) > External (WAN) (Address)
IPSec

This thread was automatically locked due to age.

Parents

0 BAlfson over 16 years ago

Have you opened the port for NAT-T?

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 bmurphy_01 over 16 years ago in reply to BAlfson

I am using the built in IPSec group definition. It includes AH, ESP, IKE, and NAT-T.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to bmurphy_01

Check the PacketFilter log on Astaro.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 bmurphy_01 over 16 years ago in reply to BarryG

It is dropping port 500.

15:20:02 Default DROP UDP 192.168.1.110 : 500 → 162.119.232.200 : 500
len=897 ttl=127 tos=0x00 srcmac=00:13:20:6b:23:51 dstmac=00:1a:8c:15:9f:70

15:20:09 Default DROP UDP 192.168.1.110 : 500 → 162.119.64.200 : 500
len=897 ttl=127 tos=0x00 srcmac=00:13:20:6b:23:51 dstmac=00:1a:8c:15:9f:70
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to bmurphy_01

I assume that you'e tried putting the Cisco client outside the Astaro and confirmmed that it does connect without the Astaro in the equation.

Show a picture of the PF rule you set up for IPSec.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 16 years ago in reply to bmurphy_01

I assume that you'e tried putting the Cisco client outside the Astaro and confirmmed that it does connect without the Astaro in the equation.

Show a picture of the PF rule you set up for IPSec.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 bmurphy_01 over 16 years ago in reply to BAlfson

The client was working prior to installing the Astaro.

CiscoPF.jpg
- CiscoPF.jpg
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago in reply to bmurphy_01

Destination should be ANY, not EXTERNAL.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 bmurphy_01 over 16 years ago in reply to BarryG

Thanks so much Barry! That did the trick.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to bmurphy_01

I'm just the straight man. I provide the setup and Barry delivers the punch line[;)]

Thanks, Barry, I hope you can give me some input or questions on my thread about configuring Ethernet/VMware/Astaro.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 MacroSystems over 16 years ago in reply to BAlfson

Having the same problem with my Cisco VPN client that worked from home before ASG.

22:27:18 Default DROP UDP 192.168.253.160 : 4991 → 207.225.150.15 : 62515

len=40 ttl=127 tos=0x00 srcmac=00:0c:29:37:15:95 dstmac=00:0c:29:37:15:81

Port 62515 instead of 500. Do I needs IPSEC and VPN protocols?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to MacroSystems

Yes. Create a new Service definition named, e.g., "Cisco VPN 62515" and add it to the "IPsec" Services group.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 MacroSystems over 16 years ago in reply to BAlfson

I added the new service and added it to the "IPSec" services group. No more dropped packets but the Remote Desktop connection to my work computer still doesn't work. Nothing showing up in the Live Log.

Where should I look next?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to MacroSystems

That sounds like a new question. Please start a new thread and give good information as you did in your first post; "it's broke" is pretty hard to analyze. [;)]

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel