Definitely in need of some expert help on this one...
Attempting to set up VPN client access on an ASA 5520 that has been used only as a
firewall until now. The ASA was recently updated to Version 7.2(4).
Problem: Once connected, the VPN client cannot access anything. VPN client cannot
ping any address on internal networks, or even the inside interface of the ASA.
(hopefully) Relevant Details:
1) The tunnel appears to be up. The clients are local authenticated by the ASA and
are able to connect.
2) Per many other related posts, I ran a "sh crypto ipsec sa" to see the output: it
appears that packets are being decapsulated and decrypted, but NOT encapsulated or
encrypted (see output of "sh crypto ipsec sa" attached).
3) Per other related posts, we have added commands related to NAT reversal (crypto
isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000). These were in fact missing from our
4) We have tried both TCP encapsulation and UDP encapsulation with experimental client
profiles: same result in both cases.
5) If I (attempt) ping to an internal IP address from the connected client, the
realtime ASA log entries show the setup and teardown of the ICMP requests from the
client to the internal target.
6) Packet capture on the internal address (the one we are attempting to ping from the
VPN client) shows that the ICMP request was received and answered. (See attached
7) Our objective is to create about 10 different VPN client profiles, each with
different combinations of access to Internal VLANs or DMZ VLANs. We have no
preferences for encryption type or method so long as it is secure and it works: That
said, feel free to recommend a different approach entirely.
We've tried everything we can think of, so any help and/or advice would be greatly
Sanitized configuration of ASA is also attached.
it should be the last step :)
ip route 172.16.100.0 255.255.255.0 172.16.20.2
and on ASA
no route inside 172.16.40.0 255.255.255.0 172.16.20.2