vpnclient and "public" private ip address

Unanswered Question
Oct 19th, 2009
User Badges:
  • Purple, 4500 points or more


I have a weird issue. Earlier today I created a tunnel to a vendor that uses "public" addresses (138.x.x.x) as a private address for my to tunnel to. All of this works except for a remote site that has a 5505 configured as a vpnclient. The tunnel-group that they connect to has a group-policy that forces all traffic over the tunnel. The vpnacl that's applied shows that it's allowing everything over the tunnel. nat is disabled only by not having the global line in the config.

The problem is that the user tries to go to this address, but it doesn't seem to go over the tunnel. I created a capture file on my side (headend) and I don't see anything. Then I created a capture file on their side and I see it try to connect, but no success. Any ideas on how I can force this address through the tunnel so it can go out of my device like it should? I have hundreds of users that work fine, but it's the satellite offices that have these ASAs that don't. I've got same-security-traffic permit intra-interface configured on my headend 5520.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
RicheeJJJ_2 Mon, 10/19/2009 - 12:58
User Badges:

when you say it doesn't seem to go over the tunnel what are you seeing? does the tunnel establish, are there encaps? decaps? isakmp phase 1 complete?


This Discussion