CISCO ASA 5505, Creating a DMZ
I need to set up a DMZ on my ASA 5505.
I have found sketchy tutorials however would like to know from a command line step by step.
Does the DMZ issue an IP address to devices that cannot be issued a static IP?
Cheers
I have found sketchy tutorials however would like to know from a command line step by step.
Does the DMZ issue an IP address to devices that cannot be issued a static IP?
Cheers
ASKER
HI,
I have not upgarded but Is there any way to check on the firewall?
Will i have to go through a reseller or can i purchase and download?
I have not upgarded but Is there any way to check on the firewall?
Will i have to go through a reseller or can i purchase and download?
ASKER
All purchased, just waiting on the code to come through. Will post once installed. Cheers
Pleased show the config and what the topology that you want and I make it....
ASKER
Hi,
Security plus License installed. A couple of questions
I. Does the DMZ issue IP as a dhcp server?
II. Will the DMZ use a Public or private or both? (I have 7 spare Public IP’s)
The device I need to connect cannot be assigned a static ip.
Thanks
Security plus License installed. A couple of questions
I. Does the DMZ issue IP as a dhcp server?
II. Will the DMZ use a Public or private or both? (I have 7 spare Public IP’s)
The device I need to connect cannot be assigned a static ip.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi, Excellent thanks!
I had to adopt to my current setup as my Vlan1 = Inside, Vlan2 = Outside
Here is a sanitised version of running-config for your review. I assigned switch port 0/7 to the dmz
I am working remotely so not sure if it works yet.
: Saved
:
ASA Version 8.2(1)
!
hostname FORTRESS
enable password L3jXBIU9.f/KXdjK encrypted
passwd oShcltzbRXPPo.hu encrypted
names
name 192.168.51.50 VOIP_server
name 192.168.30.0 SITE-A
name 192.168.40.0 SITE-B
name 192.168.20.0 SITE-C
name 192.168.1.0 SITE-D description SANDI
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group WESTBURY
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server ---.---.--.---
name-server ---.---.--.---
object-group service VODAFONE_Ports
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-A 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-B 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-C 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-D 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-A 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-B 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-C 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-D 255.255.255.0
access-list ICMPACL extended permit icmp any any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) ---.--.-.--- 192.168.10.104 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 ---.---.--.- 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http ---.---.--.- 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 82.--.--.--
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 82.--.--.--
crypto map outside_map 2 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 82.--.--.--
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 82.--.--.--
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 82.--.--.--
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.255 inside
ssh 192.168.51.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.255 outside
ssh ---.---.--.- 255.255.255.255 outside
ssh 192.168.51.0 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
vpdn group WESTBURY request dialout pppoe
vpdn group WESTBURY localname ***
vpdn group WESTBURY ppp authentication chap
vpdn username *** password *********
dhcpd dns ---.--.-.--- ---.--.-.---
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.
dhcpd dns ---.--.-.--- ---.--.-.--- interface inside
dhcpd ping_timeout 750 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:48021baf602
: end
asdm location VOIP_server 255.255.255.255 inside
asdm location SITE-A 255.255.255.0 inside
asdm location SITE-B 255.255.255.0 inside
asdm location SITE-C 255.255.255.0 inside
asdm location SITE-D 255.255.255.0 inside
no asdm history enable
I had to adopt to my current setup as my Vlan1 = Inside, Vlan2 = Outside
Here is a sanitised version of running-config for your review. I assigned switch port 0/7 to the dmz
I am working remotely so not sure if it works yet.
: Saved
:
ASA Version 8.2(1)
!
hostname FORTRESS
enable password L3jXBIU9.f/KXdjK encrypted
passwd oShcltzbRXPPo.hu encrypted
names
name 192.168.51.50 VOIP_server
name 192.168.30.0 SITE-A
name 192.168.40.0 SITE-B
name 192.168.20.0 SITE-C
name 192.168.1.0 SITE-D description SANDI
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group WESTBURY
ip address pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server ---.---.--.---
name-server ---.---.--.---
object-group service VODAFONE_Ports
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-A 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-B 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-C 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 SITE-D 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-A 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-B 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-C 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.10.0 255.255.255.0 SITE-D 255.255.255.0
access-list ICMPACL extended permit icmp any any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) ---.--.-.--- 192.168.10.104 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 ---.---.--.- 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http ---.---.--.- 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 82.--.--.--
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 82.--.--.--
crypto map outside_map 2 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 82.--.--.--
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 82.--.--.--
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 82.--.--.--
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.255 inside
ssh 192.168.51.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.255 outside
ssh ---.---.--.- 255.255.255.255 outside
ssh 192.168.51.0 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
vpdn group WESTBURY request dialout pppoe
vpdn group WESTBURY localname ***
vpdn group WESTBURY ppp authentication chap
vpdn username *** password *********
dhcpd dns ---.--.-.--- ---.--.-.---
dhcpd auto_config outside
!
dhcpd address 192.168.10.100-192.168.10.
dhcpd dns ---.--.-.--- ---.--.-.--- interface inside
dhcpd ping_timeout 750 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password H1kZZCYIzbxYpUC2 encrypted privilege 15
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
tunnel-group 82.--.--.-- type ipsec-l2l
tunnel-group 82.--.--.-- ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:48021baf602
: end
asdm location VOIP_server 255.255.255.255 inside
asdm location SITE-A 255.255.255.0 inside
asdm location SITE-B 255.255.255.0 inside
asdm location SITE-C 255.255.255.0 inside
asdm location SITE-D 255.255.255.0 inside
no asdm history enable
Looks good to me!
Good Luck
Good Luck
ASKER
Hi,
The device i have plugged in is a Vodafone Sure Signal. It connects to Vodafones servers through ports 500 and 4500.
Setting up the DMZ is a result of the connection not establishing after opening the ports and many posts & support here.
I was hoping that by sitting this on the DMZ I would be confident the connection is not being blocked. For some reason this is still not connecting..
I have looked in the arp table and there is no device or record of the DMZ subnet created or the MAC address of the device?
Is the DMZ issuing an IP as a dhcp server as I cannot assign a static IP to the Vodafone device??....
Any thoughts…..
The device i have plugged in is a Vodafone Sure Signal. It connects to Vodafones servers through ports 500 and 4500.
Setting up the DMZ is a result of the connection not establishing after opening the ports and many posts & support here.
I was hoping that by sitting this on the DMZ I would be confident the connection is not being blocked. For some reason this is still not connecting..
I have looked in the arp table and there is no device or record of the DMZ subnet created or the MAC address of the device?
Is the DMZ issuing an IP as a dhcp server as I cannot assign a static IP to the Vodafone device??....
Any thoughts…..
First at all, you should check your connectivity between the devices, (asa & Vodaphone),
from the CLI in the asa, or by ASDM, try to ping the vodaphone device, or vice versa,
The ports 500 and 4500 are TCP or UDP?
Try to connect a computer in the DMZ and try to access the internet, when you get it, it doesn't matter if it static or dynamic addressing you should use those settings in your vodaphone...
If you still can connect either in the computer, so is probably that you have made something wrong, or there's something missing..!
Good Luck.!!
from the CLI in the asa, or by ASDM, try to ping the vodaphone device, or vice versa,
The ports 500 and 4500 are TCP or UDP?
Try to connect a computer in the DMZ and try to access the internet, when you get it, it doesn't matter if it static or dynamic addressing you should use those settings in your vodaphone...
If you still can connect either in the computer, so is probably that you have made something wrong, or there's something missing..!
Good Luck.!!
ASKER
Hi
Both of the ports are UDP.
The dmz is not issuing an IP. I connected a laptop and it resolved the 169 address. I manually configured the card and with a 192.168.3.100 address and successfully connected out through the gateway.
So as far as I can see everything is mustard apart from the dmz as a dhcp server. Is it possible to set up a dhcp scope in the dmz so that the vodabox can dynamically be issued an IP?
Thanks again!
Both of the ports are UDP.
The dmz is not issuing an IP. I connected a laptop and it resolved the 169 address. I manually configured the card and with a 192.168.3.100 address and successfully connected out through the gateway.
So as far as I can see everything is mustard apart from the dmz as a dhcp server. Is it possible to set up a dhcp scope in the dmz so that the vodabox can dynamically be issued an IP?
Thanks again!
Hi there is a problem, please enable DMZ:
interface Vlan3
forward interface Vlan1
interface Vlan3
forward interface Vlan1
I you don't buy security plus license you not eble to use DMZ!!
ASKER
I do not understand your last post sorry.
The ASA has been upgraded and the DMZ active.....
I need the interface to issue IP by DHCP to an appliance that can only get an ip through DHCP... is this possible??
The ASA has been upgraded and the DMZ active.....
I need the interface to issue IP by DHCP to an appliance that can only get an ip through DHCP... is this possible??
here's the command:
dhcpd address 192.168.3.10-192.168.3.100
dhcpd enable dmz
dhcpd dns 200.42.213.11 196.3.81.5 --> Replace this for your own DNS servers.
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain yourdomain.local
Good luck!!
dhcpd address 192.168.3.10-192.168.3.100
dhcpd enable dmz
dhcpd dns 200.42.213.11 196.3.81.5 --> Replace this for your own DNS servers.
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain yourdomain.local
Good luck!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello,
Just for the record, you don't need security plus in order to create a dmz!
without security-plus the dmz interface CAN'T communicate with the inside, but it CAN communicate with the outside...
Just for the record, you don't need security plus in order to create a dmz!
without security-plus the dmz interface CAN'T communicate with the inside, but it CAN communicate with the outside...
ASKER
Great that is working fine and the vodbox is showing in the arp table now.
Still not connecting......do i have to define the udp ports 4500 and 500? That is the only thing i can think of, however i thought the DMZ would be letting everything through?... Getting there - learning new stuff in nothing else!
Still not connecting......do i have to define the udp ports 4500 and 500? That is the only thing i can think of, however i thought the DMZ would be letting everything through?... Getting there - learning new stuff in nothing else!
Hello there,
one thing you should know is that those ports belong to (isakmp UDP/500) (Nat-Traversal UDP/4500), maybe you vodbox is trying to build a ipsec tunnel, but i think it gonna be impossible, (as i can see), because you are already finishing ipsec tunnels in you firewall, tunnels that are using those ports...
If you what to make a TEST try this in a non working time (ensure that nobody is using the tunnels), and do the following:
no crypto map outside_map interface outside
no crypto isakmp enable inside
no crypto isakmp enable outside
Test if your vodbox is working, and when you're done:
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
Anything else, let us know.!
one thing you should know is that those ports belong to (isakmp UDP/500) (Nat-Traversal UDP/4500), maybe you vodbox is trying to build a ipsec tunnel, but i think it gonna be impossible, (as i can see), because you are already finishing ipsec tunnels in you firewall, tunnels that are using those ports...
If you what to make a TEST try this in a non working time (ensure that nobody is using the tunnels), and do the following:
no crypto map outside_map interface outside
no crypto isakmp enable inside
no crypto isakmp enable outside
Test if your vodbox is working, and when you're done:
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
Anything else, let us know.!
ASKER
That makes perfect sense because when I called Vodafone they said that the Vodbox would try and create a VPN however, I thought this would run parallel to the existing defined policies. (As I already had multiple VPN tunnels).
I have run the command and my ip phone went dead instantly but the Vodbox is still not connecting so maybe the ports?......
Anyway your support has been excellent detailed and you have answered the original post. So will close this one down and award the points. Many thanks again!
I have run the command and my ip phone went dead instantly but the Vodbox is still not connecting so maybe the ports?......
Anyway your support has been excellent detailed and you have answered the original post. So will close this one down and award the points. Many thanks again!
ASKER
Awesome.
First of all you need Security plus license, did you upgraded it?