Hi There,
Recently we switched over to a new internet/ MPLS provider, some of our users connect to servers off site via a Cisco VPN to upload data. since the switch over all of the users are able to connect to the VPN as before except our MAC users. they are configured using the native Cisco VPN client connection as they were before, nothing on them has changed.
I have tried installing several stand alone clients including Cisco but for one reason or another they are incompatible so I am stuck with the in built client. which should work fine. before they would get all WAN bound access via the Checkpoint UTM-1 firewall but now all WAN bound traffic is via the ISP's Cisco ASA. I have had the ISP network engineer reduce the ACL rule down to allowing all traffic from the sub net they are on outbound to the destination VPN address over all relevant ports 500, 4500 UDP, even 10000 TCP & 50 UDP.
The NAT rule in place is really simple just dynamically allowing all out and overloading on the public IP. the traffic from the connection attempt does reach the destination VPN server but does not get past Phase 1. the connection appears to be terminated by the ISP side or possibly the MAC. one thing I did find strange is that the MAC uses a source port and dest port of 500 & 4500 but I believe that is the norm on Unix devices.
I have attached the log from the VPN device from the connection attempt. is there something different I need to do for the MAC's re the VPN or firewall?
View attachment VPN_LOG.txt
Recently we switched over to a new internet/ MPLS provider, some of our users connect to servers off site via a Cisco VPN to upload data. since the switch over all of the users are able to connect to the VPN as before except our MAC users. they are configured using the native Cisco VPN client connection as they were before, nothing on them has changed.
I have tried installing several stand alone clients including Cisco but for one reason or another they are incompatible so I am stuck with the in built client. which should work fine. before they would get all WAN bound access via the Checkpoint UTM-1 firewall but now all WAN bound traffic is via the ISP's Cisco ASA. I have had the ISP network engineer reduce the ACL rule down to allowing all traffic from the sub net they are on outbound to the destination VPN address over all relevant ports 500, 4500 UDP, even 10000 TCP & 50 UDP.
The NAT rule in place is really simple just dynamically allowing all out and overloading on the public IP. the traffic from the connection attempt does reach the destination VPN server but does not get past Phase 1. the connection appears to be terminated by the ISP side or possibly the MAC. one thing I did find strange is that the MAC uses a source port and dest port of 500 & 4500 but I believe that is the norm on Unix devices.
I have attached the log from the VPN device from the connection attempt. is there something different I need to do for the MAC's re the VPN or firewall?
View attachment VPN_LOG.txt
