cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
889
Views
3
Helpful
2
Replies

Cisco VPN client not working behind ASA Firewall

haroon.shaikh
Level 1
Level 1

Greetings All,

I've got an issue which Im not sure about if its my confiuration fault or its something to do with Cisco's ASA Firewall. Network Diagram is attached for your reference.

I have got a couple of users behind Cisco ASA 5510 who use Cisco VPN Client (versions ranging from 3.6 to 4.8). They share a single IP address to Internet. ( I mean they are NATed). Now, they want to create a VPN connection to a PIX acting as VPN server. They are able to successfully create a VPN connection but they cannot ping the servers behind PIX 501. They also cannot access any services behind the PIX.

I tried the above scenario on Cisco routers and Linksys router. That works. But its not working with Cisco ASA.

Facts about the scenario:

I have done the normal NAT configurationa and its working.

They can ping the PIX 501.

They can create a VPN connection.

They CANNOT ping or access servers behind PIX.

Now, the possible reasons that I think are as below:

Something is wrong at Cisco ASA configuration because if I try to connect the PIX 501 from Dial-up, it works fine. It just doesnt works behind the ASA.

There might be some issue with NAT-Traversal. But I dont know should it be configured at ASA or on PIX?

Or simply, ASA doesnt supports Cisco VPN clients on NAT.

I would appreciate someone's help in this matter. Thanks in advance.

2 Replies 2

jmia
Level 7
Level 7

Hello Haroon,

Add NAT-T support on the 501, isakmp nat-traversal

Also, why not just setup a VPN Tunnel between the ASA and 501?

Hope it helps, and if it does please rate posts!!

Thank for the suggestion,

Actually the problem lies in my customer's ip assignment. They have an IP range of 192.168.20.0/24 for LAN. They have servers within this range.

Now, they want to create a Disaster Recovery situation. If the main servers are down for some reason they want to make another Cisco VPN to the PIX and connect to secondary servers behind PIX. The problem here is that the secondary servers have the same IP address as primary servers. I understand that this is a very bad network design, but at this stage, I cannot do anything else.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: