vpn pass thru on cisco asa5510 could not work

donnie · ‎10-09-2008

Hi all. I have 2 cisco asa5510 1 each for my 2 offices(A & B). I configured my office A asa5510 with vpn pass thru as below.

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

My vpn client from office A could vpn into office B but could not access any resources. I set my vpn client in office A to be translated into a static public ip which solves my problem. Another way to solve the problem is to implement NAT-T at office B. But i would like to know why my vpn pass thru config did not work. Pls advise, thks in advance.

singhsaju · ‎10-09-2008

Hi,

Check that if you are not using AH in the transform set for remote access. Because inspect ipsec-pass-thru only allow ESP and not AH .

From the link below:

"

All ESP data flows are permitted when a forward flow exists, and there is no limit on the maximum number of connections that can be allowed. AH is not permitted."

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i2_711.html#wp1631795

HTH

Saju

Pls rate helpful posts

donnie · ‎10-09-2008

Hi Saju. Thk you for the info. But how do i check if AH is implemented in my transform set?

Below are my transform set statements. THks in advance.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 380 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 400 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 420 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 440 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 460 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 480 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 500 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 520 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 540 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 560 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 580 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 600 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 620 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 640 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 660 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 680 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 700 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp reload-wait