EasyVPN server-client, serverside-initated traffic wont work

Unanswered Question
Oct 21st, 2007

Hej

I've configured an ASA5510 as a central Easu VPN-server. A home office user hasa a ASA5505 that is configured as a VPN Client (the vpnclient-commands). The tunnel works great, but there is an application that initiates TCP-sessions from the Hub-lan destinated to the computer at home, behind the ASA5505 VPN-client. And this traffic won't work. And Now I am uncertain. Should this work or not?

Topology: Central net: 172.17.1.0/24 and a few other 172.17.x.y-nets

Home-net: 172.18.8.0/28 (central ASA config prepared for more future home networks in the 172.18.8.0/24-range

Relevant server-side configuration:

access-list Inside_nat0_outbound extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0

access-list VPN5005_split_tunnel extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0

nat (inside) 0 access-list Inside_nat0_outbound

crypto ipsec transform-set tset_VPN5005 esp-aes esp-sha-hmac

crypto dynamic-map dmap_VPN5005 5 set transform-set tset_VPN5005

crypto map Outside_map 100 ipsec-isakmp dynamic dmap_VPN5005

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

group-policy gp_VPN5005 internal

group-policy gp_VPN5005 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN5005_split_tunnel

nem enable

username VPN5005_user1 password password

tunnel-group tg_VPN5005 type ipsec-ra

tunnel-group tg_VPN5005 general-attributes

default-group-policy gp_VPN5005

tunnel-group tg_VPN5005 ipsec-attributes

pre-shared-key djhkj334kjhdkj3222

home-side configuration:

interface Vlan1

nameif inside

security-level 100

ip address 172.17.8.1 255.255.255.240

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient vpngroup tg_VPN5005 password djhkj334kjhdkj3222

vpnclient username VPN5005_user1 password password

vpnclient enable

So, an user behind the 5505 has IP 172.17.8.10. The computer has full connectivity to all central servers on the 172.17.1.0-net. However, a server needs to initiate a TCP-session to 172.17.8.10 and it won't work. Should it work? Or do we need a solution with a Lan-2-Lan-tunnel with static IP at home to get this thing working?

Thanks for all feedback!

/Jimmy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion