Allow IPSec Traffic

Unanswered Question
Oct 28th, 2009

We are trying to establish vpn connection using cisco vpn client on laptop to a vpn concentrator in a remote office. All network devices are in the same private network. There is a Cisco ASA 5505 firewall sitting between VPN client and VPN Concentrator. IPSec over TCP & IPSec over UDP works fine. But plain IPsec will not work. We will be able to establish connection with plain IPSec but can't access resources behind the VPN concentrator. I am attaching the config Cisco ASA firewall for your reference. Please let me know what I am missing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 10/28/2009 - 14:22

Try getting rid of the global defined on your config and disable nat-control, also just remember that ipsec pass through is only applicable for one to one translations, since your static is in place this should work ok. Try that and let us know.

dharmendra2shah Wed, 10/28/2009 - 14:36

Imartino,

I got rid of those 2 commands using:

no global (outside) 1 interface

no nat-control

But still the same problem.

Ivan Martinon Wed, 10/28/2009 - 14:40

Please get the show service-policy and the logs when the client is trying to pass traffic.

dharmendra2shah Wed, 10/28/2009 - 14:45

Result of the command: "show service-policy"

Interface outside:

Service-policy: test-udp-policy

Class-map: test-udp-class

Inspect: ipsec-pass-thru pol-type1, packet 42, drop 0, reset-drop 0

Result of the command: "show conn"

9 in use, 12 most used

AH outside 0.0.0.0 inside 0.0.0.0, idle 0:11:52, bytes 0

ESP outside 0.0.0.0 inside 0.0.0.0, idle 0:11:52, bytes 0

ESP outside 192.168.34.7 inside 10.47.200.5, idle 0:01:01, bytes 12592

AH outside 192.168.34.7 inside 10.47.200.5, idle 0:11:52, bytes 0

ESP outside 192.168.34.7 inside 10.47.200.5, idle 0:11:52, bytes 0

UDP outside 192.168.34.7:500 inside 10.47.200.5:500, idle 0:01:01, bytes 3431, flags -

dharmendra2shah Wed, 10/28/2009 - 14:49

No I don't see any drops on the log. This problem is killing me. I thought it would be simple.

Amadou TOURE Wed, 10/28/2009 - 19:30

Hi,

Could you connect your laptop to the outside network and ensure that it's working without passing through ASA ?

1. with the no nat-control you don't need the static statement, so can you remove it also.

2.in second test if you keep the static Identity, use nat exemption instead (I already experienced problem related to that).

Regards

Actions

This Discussion