cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3205
Views
0
Helpful
3
Replies

Remote Access VPN to ASA 5510 not passing traffic

ryan.bachman
Level 1
Level 1

I am sure I am overlooking something very simple, so I am hoping for a second set of eyes that will clue me in on where I am going wrong.

Basically I have a cisco client remote accessing into a 5510. Authentication works fine, secured routes info show correctly in my client, client reports that traffic is being encrypted, but I can't access any of the resources over the tunnel. Attached is a file of the configuration and an output of a #sh crypto ipsec sa peer x.x.x.x command that shows traffic is not being passed. Thanks for the help in advance.

btw l2l configuration works fine.

1 Accepted Solution

Accepted Solutions

hdashnau
Cisco Employee
Cisco Employee

I see (from your split tunnel acl) that you are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.

Other common causes:

-your internal routers may not have a route towards the ASA for the VPN client pool

-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients

-Configure split-dns under the group-policy for your internal domain names

-heather

View solution in original post

3 Replies 3

hdashnau
Cisco Employee
Cisco Employee

I see (from your split tunnel acl) that you are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.

Other common causes:

-your internal routers may not have a route towards the ASA for the VPN client pool

-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients

-Configure split-dns under the group-policy for your internal domain names

-heather

Heather

Thanks for your input

The 2 users that were testing (myself and another coworker) were both behind nat devices. I thought cisco by default allowed nat-t over udp, but I guess not.

Adding the ipsec-udp enable under my group policy fixed my issue.

Traditional Nat-traversal (on UDP 4500) IS enabled by default on the ASA. You did not have nat-t disabled on the headend -- If you had it turned off manually you wouldve seen "no crypto isakmp nat-traversal" in your show run output.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067

Since you were not able to pass traffic with traditional NAT-T this leads me to believe something may have been blocking or dropping UDP 4500 along the path.

There are two other options for nat-traversal, one of which you discovered...

The "ipsec-udp" is another form of nat-traversal which operates on UDP 500. The port number cannot be changed.

There is a third option for nat-traversal enabled with "crypto isakmp ipsec-over-tcp" This allows nat-traversal on tcp 10000. You can change the port with "crypto isakmp ipsec-over-tcp port <#>"

-heather

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: