Allow IPSec Traffic

Unanswered Question
Oct 28th, 2009
User Badges:

We are trying to establish vpn connection using cisco vpn client on laptop to a vpn concentrator in a remote office. All network devices are in the same private network. There is a Cisco ASA 5505 firewall sitting between VPN client and VPN Concentrator. IPSec over TCP & IPSec over UDP works fine. But plain IPsec will not work. We will be able to establish connection with plain IPSec but can't access resources behind the VPN concentrator. I am attaching the config Cisco ASA firewall for your reference. Please let me know what I am missing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 10/28/2009 - 14:22
User Badges:
  • Cisco Employee,

Try getting rid of the global defined on your config and disable nat-control, also just remember that ipsec pass through is only applicable for one to one translations, since your static is in place this should work ok. Try that and let us know.

dharmendra2shah Wed, 10/28/2009 - 14:36
User Badges:


I got rid of those 2 commands using:

no global (outside) 1 interface

no nat-control

But still the same problem.

Ivan Martinon Wed, 10/28/2009 - 14:40
User Badges:
  • Cisco Employee,

Please get the show service-policy and the logs when the client is trying to pass traffic.

dharmendra2shah Wed, 10/28/2009 - 14:45
User Badges:

Result of the command: "show service-policy"

Interface outside:

Service-policy: test-udp-policy

Class-map: test-udp-class

Inspect: ipsec-pass-thru pol-type1, packet 42, drop 0, reset-drop 0

Result of the command: "show conn"

9 in use, 12 most used

AH outside inside, idle 0:11:52, bytes 0

ESP outside inside, idle 0:11:52, bytes 0

ESP outside inside, idle 0:01:01, bytes 12592

AH outside inside, idle 0:11:52, bytes 0

ESP outside inside, idle 0:11:52, bytes 0

UDP outside inside, idle 0:01:01, bytes 3431, flags -

dharmendra2shah Wed, 10/28/2009 - 14:49
User Badges:

No I don't see any drops on the log. This problem is killing me. I thought it would be simple.

Ivan Martinon Wed, 10/28/2009 - 14:50
User Badges:
  • Cisco Employee,

Can you change the acess-list to include IP rather than udp.

Amadou TOURE Wed, 10/28/2009 - 19:30
User Badges:


Could you connect your laptop to the outside network and ensure that it's working without passing through ASA ?

1. with the no nat-control you don't need the static statement, so can you remove it also. second test if you keep the static Identity, use nat exemption instead (I already experienced problem related to that).



This Discussion