Cisco VPN Client One Way Traffic

Unanswered Question
Jul 17th, 2008

Greetings, im having problems with Remote Access Connections to a Cisco ASA 5510 v8.0.3(19), i have setup the required connection profile, transform set, crypto map and split tunnel acl, specified traffic to be exempt from NAT and enabled NAT-T.

I can successfully establish a VPN connection and can ping the inside address of the firewall but nothing within the internal subnet beyond the firewall.

Ive read several technotes on cisco that suggest NAT-T issues and not specifying protected traffic but cant seem to pinpoint an issue. I have also tried several version of the Cisco VPN Client.

Any suggestions would be much appreciated.

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
JORGE RODRIGUEZ Thu, 07/17/2008 - 16:07

Problem could be acls, double check your nat exempt access list. Could you provide sanitized asa config.

Rgds

Jorge

exonetinf1nity Fri, 07/18/2008 - 15:57

Please find the config below. ive also had a look at the logs which dont show any hits against the split tunnel acl.

: Saved

:

ASA Version 8.0(3)19

!

hostname it-fw-5510

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.240

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.997

vlan 997

nameif demo

security-level 100

ip address 172.27.255.1 255.255.255.0

!

interface Ethernet0/1.998

vlan 998

nameif guest

security-level 25

ip address 172.30.255.1 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif access

security-level 100

ip address 172.29.255.1 255.255.255.0

!

interface Ethernet0/3

speed 100

duplex full

nameif voice

security-level 100

ip address 172.28.255.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.255.1 255.255.255.0

management-only

!

same-security-traffic permit inter-interface

access-list ITTelco_Rmt_splitTunnelAcl standard permit 172.29.255.0 255.255.255.0

access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0

nat-control

global (outside) 1 interface

global (outside) 2 guestoutbound

nat (demo) 0 access-list exempt_nat0_outbound

nat (guest) 2 172.30.255.0 255.255.255.0

nat (access) 0 access-list exempt_nat0_outbound

nat (access) 1 172.29.255.0 255.255.255.0

nat (voice) 0 access-list exempt_nat0_outbound

nat (voice) 1 172.28.255.0 255.255.255.0

access-group outside_access_in in interface outside

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign local

group-policy ITTelco_Rmt internal

group-policy ITTelco_Rmt attributes

wins-server value 172.29.255.25

dns-server value 172.29.255.25

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ITTelco_Rmt_splitTunnelAcl

default-domain value

tunnel-group ITTelco_Rmt type remote-access

tunnel-group ITTelco_Rmt general-attributes

authentication-server-group LDAP

default-group-policy ITTelco_Rmt

dhcp-server it-bir-fap-int

tunnel-group ITTelco_Rmt ipsec-attributes

pre-shared-key *

!

exonetinf1nity Sun, 07/20/2008 - 14:45

Issue has been resolved by enabled proxy arps on the inside interface, very puzzled by this one but all working again :)

Actions

This Discussion