Cisco VPN client not working behind ASA Firewall

Unanswered Question
Apr 11th, 2007

Greetings All,

I've got an issue which Im not sure about if its my confiuration fault or its something to do with Cisco's ASA Firewall. Network Diagram is attached for your reference.

I have got a couple of users behind Cisco ASA 5510 who use Cisco VPN Client (versions ranging from 3.6 to 4.8). They share a single IP address to Internet. ( I mean they are NATed). Now, they want to create a VPN connection to a PIX acting as VPN server. They are able to successfully create a VPN connection but they cannot ping the servers behind PIX 501. They also cannot access any services behind the PIX.

I tried the above scenario on Cisco routers and Linksys router. That works. But its not working with Cisco ASA.

Facts about the scenario:

I have done the normal NAT configurationa and its working.

They can ping the PIX 501.

They can create a VPN connection.

They CANNOT ping or access servers behind PIX.

Now, the possible reasons that I think are as below:

Something is wrong at Cisco ASA configuration because if I try to connect the PIX 501 from Dial-up, it works fine. It just doesnt works behind the ASA.

There might be some issue with NAT-Traversal. But I dont know should it be configured at ASA or on PIX?

Or simply, ASA doesnt supports Cisco VPN clients on NAT.

I would appreciate someone's help in this matter. Thanks in advance.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
haroon.shaikh Thu, 04/12/2007 - 13:26

Thank for the suggestion,

Actually the problem lies in my customer's ip assignment. They have an IP range of 192.168.20.0/24 for LAN. They have servers within this range.

Now, they want to create a Disaster Recovery situation. If the main servers are down for some reason they want to make another Cisco VPN to the PIX and connect to secondary servers behind PIX. The problem here is that the secondary servers have the same IP address as primary servers. I understand that this is a very bad network design, but at this stage, I cannot do anything else.

Actions

This Discussion