Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
5
Replies

Remote Access VPN - Unable to access Internal resources

mwandu
Level 1
Level 1

‎01-27-2010 11:21 PM - edited ‎02-21-2020 04:28 PM

Hi Experts,

I have a situation with client site where they would to implement remote access VPN. The issue is that i am able to authenticate but cannot get access to internal resources.  I am using VPN client 5.0

See attached ASA configuration.

Thanks in advance,

Labels:
60431-zambart_asa2.txt.zip
0 Helpful
5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

‎01-28-2010 09:40 AM

Looking at your RA  config briefly looks fine,  you may need to enable nat transparency.

add this to your config .

(config)#crypto isakmp nat-traversal


reference this link for future

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution01

Regards

Jorge Rodriguez
0 Helpful

pudawat
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-28-2010 05:24 PM

HI ,

I agree with jorge,

config seems to be fine

Just enable (config)#crypto isakmp nat-t

and check connectivity

also check whether (config)#sysopt connection permit vpn is there in the config

Regards,

Pradhuman

0 Helpful

mwandu
Level 1
Level 1
In response to pudawat

‎01-30-2010 08:15 AM

Hi,,

Thanks for your prompt response. I have included both commands advised in all replies but no success. I noted the when I check for 'ipsec sa' statistics on the ASA, the packet are getting decrypted  BUT not encrypted. I am wondering if this is a good clue??

Many thanks again.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to mwandu

‎01-30-2010 10:56 PM

Could you post output of what you have seen on  the ipsec sa..

while the vpn client is connected post output of

show crypto ipsec sa

also provide output of   show vpn-sessiondb remote

Please also load  your ASA  ASDM real time log  and observe log while RA client pings hosts on the inside .

make sure that the system the  RA client is trying to access  on the inside  network 192.168.1.0  do not have firewall turned on such as Windows firewalls etc.

Rgds

Jorge Rodriguez
0 Helpful

pudawat
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-31-2010 08:39 AM

HI ,

It seems that the packets are not getting encrypted from the ASA itself as you are only seeing decrypts counts but no encrypt count!

The issue is likely to be with Routing or NAT-ing on the ASA

Just do a packet tracer from any internal ip to the VPN pool IP and checdk where the packet is getting dropped?

packet-tracer input inside icmp 192.168.1.x 0 8 192.168.2.x det

paste the output of this command or you can also do it from GUI??

Thanks,

Pradhuman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents