EasyVPN server-client, serverside-initated traffic wont work

Unanswered Question
Oct 21st, 2007
User Badges:

Hej


I've configured an ASA5510 as a central Easu VPN-server. A home office user hasa a ASA5505 that is configured as a VPN Client (the vpnclient-commands). The tunnel works great, but there is an application that initiates TCP-sessions from the Hub-lan destinated to the computer at home, behind the ASA5505 VPN-client. And this traffic won't work. And Now I am uncertain. Should this work or not?


Topology: Central net: 172.17.1.0/24 and a few other 172.17.x.y-nets

Home-net: 172.18.8.0/28 (central ASA config prepared for more future home networks in the 172.18.8.0/24-range


Relevant server-side configuration:

access-list Inside_nat0_outbound extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0

access-list VPN5005_split_tunnel extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0


nat (inside) 0 access-list Inside_nat0_outbound


crypto ipsec transform-set tset_VPN5005 esp-aes esp-sha-hmac


crypto dynamic-map dmap_VPN5005 5 set transform-set tset_VPN5005

crypto map Outside_map 100 ipsec-isakmp dynamic dmap_VPN5005


crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400



group-policy gp_VPN5005 internal

group-policy gp_VPN5005 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN5005_split_tunnel

nem enable


username VPN5005_user1 password password


tunnel-group tg_VPN5005 type ipsec-ra

tunnel-group tg_VPN5005 general-attributes

default-group-policy gp_VPN5005

tunnel-group tg_VPN5005 ipsec-attributes

pre-shared-key djhkj334kjhdkj3222



home-side configuration:


interface Vlan1

nameif inside

security-level 100

ip address 172.17.8.1 255.255.255.240


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient vpngroup tg_VPN5005 password djhkj334kjhdkj3222

vpnclient username VPN5005_user1 password password

vpnclient enable




So, an user behind the 5505 has IP 172.17.8.10. The computer has full connectivity to all central servers on the 172.17.1.0-net. However, a server needs to initiate a TCP-session to 172.17.8.10 and it won't work. Should it work? Or do we need a solution with a Lan-2-Lan-tunnel with static IP at home to get this thing working?


Thanks for all feedback!


/Jimmy


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion