Since installing ASA5505, some VPN clients can not create tunnel

Unanswered Question
Jul 20th, 2007

HI,

We installed an ASA5505 in a branch office. The ASA5505 is behind a DSL PPOA Slipstream modem/router. This new branch office can create IPSEC tunnel with central office to a PIX506e. The problem: some remote Client VPNs using cable/DSL can not create a tunnel to the 506e anymore, since installing the ASA5505 branch office. The client VPNs can now establish a tunnel using dial up, but not able to create a tunnel using their cable/DSL service. Any suggestions? I have been told that the ASA5505 works with PPOE and not PPOA, yet IPSEC tunnel is established using PPOA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
saidfrh Fri, 07/20/2007 - 01:40

One DSL remote user used to be able to vpn to 506e before. We activated packet debugging on the Cisco 2600 series perimeter router. Packet debugging does not capture the public IP of above user, when she attempts to VPN to the 506e. The problem started when installing a ASA5505 behind a PPOA DSL router in a new branch office. Any suggestions would be appreciated.

acomiskey Fri, 07/20/2007 - 04:46

Depending upon version try...

isakmp nat-traversal

or

crypto isakmp nat-traversal

saidfrh Fri, 07/20/2007 - 05:16

What is the reason for isakmp nat-traversal

or crypto isakmp nat-traversal commands?

Is the above comand to be added to the ASA5505, 2600 perimeter router, or the PIX 506e?

Thanks.

acomiskey Fri, 07/20/2007 - 05:39

Sorry, should have explained further. That command would go in the 506e if you don't have it already. It allows vpn clients to connect using nat-/pat which allows them to connect behind nat/pat devices. The fact they can connect via dialup but not from cable/dsl is a good indication this may be the problem.

saidfrh Fri, 07/20/2007 - 06:07

VPN clients were able to connect to the 506e with their DSL/cable service prior to the ASA5505 setup in a new branch office. Some DSL/cable VPN clients are no longer able to connect to the 506e after ASA5505 is able to VPN to 506e. In one instance, packet debuging does not show that one VPN client DSL user's public IP is attempting to enter the perimeter router. All the problems started after initializing the ASA5505.

saidfrh Fri, 07/20/2007 - 07:15

Private addresses on remote user clients which are as different than private IP of Central Office are able to VPN to 506e. Public IPs and same private network IPs as Central Office are not allowed in. Do you know of a way to work around the above?--Add access lists?

saidfrh Fri, 07/20/2007 - 13:25

After removing isakmp nat-traversal from the config of the 506e, remote Client users can now VPN to the network. Problem solved. I have been told otherwise, that the command is needed.

Actions

This Discussion