Hosts on corporate network unable to connect to VPN client

Unanswered Question
May 15th, 2008
User Badges:

I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.


This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.


Can anyone explain what's wrong or where I should look?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Alan,


I would check to see if the VPN client has "Statefull Firewall (always on)" enbabled....as this will not allow any "inbound connections" not initiated by the client?


I would also check your no-nat rules, and make sure you have your "internal IP subents" exempt from natting to the VPN Subent?


HTH.

AlanStern79 Mon, 05/19/2008 - 08:25
User Badges:

Thanks for the feedback.


The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.


The "no-nat" rules on the 5505 look like this:


access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound


Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

Actions

This Discussion