cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
347
Views
0
Helpful
2
Replies

Hosts on corporate network unable to connect to VPN client

AlanStern79
Level 1
Level 1

I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.

This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.

Can anyone explain what's wrong or where I should look?

2 Replies 2

andrew.prince
Level 10
Level 10

Alan,

I would check to see if the VPN client has "Statefull Firewall (always on)" enbabled....as this will not allow any "inbound connections" not initiated by the client?

I would also check your no-nat rules, and make sure you have your "internal IP subents" exempt from natting to the VPN Subent?

HTH.

Thanks for the feedback.

The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.

The "no-nat" rules on the 5505 look like this:

access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: