01-27-2010 11:21 PM - edited 02-21-2020 04:28 PM
Hi Experts,
I have a situation with client site where they would to implement remote access VPN. The issue is that i am able to authenticate but cannot get access to internal resources. I am using VPN client 5.0
See attached ASA configuration.
Thanks in advance,
01-28-2010 09:40 AM
Looking at your RA config briefly looks fine, you may need to enable nat transparency.
add this to your config .
(config)#crypto isakmp nat-traversal
reference this link for future
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution01
Regards
01-28-2010 05:24 PM
HI ,
I agree with jorge,
config seems to be fine
Just enable (config)#crypto isakmp nat-t
and check connectivity
also check whether (config)#sysopt connection permit vpn is there in the config
Regards,
Pradhuman
01-30-2010 08:15 AM
Hi,,
Thanks for your prompt response. I have included both commands advised in all replies but no success. I noted the when I check for 'ipsec sa' statistics on the ASA, the packet are getting decrypted BUT not encrypted. I am wondering if this is a good clue??
Many thanks again.
01-30-2010 10:56 PM
Could you post output of what you have seen on the ipsec sa..
while the vpn client is connected post output of
show crypto ipsec sa
also provide output of show vpn-sessiondb remote
Please also load your ASA ASDM real time log and observe log while RA client pings hosts on the inside .
make sure that the system the RA client is trying to access on the inside network 192.168.1.0 do not have firewall turned on such as Windows firewalls etc.
Rgds
01-31-2010 08:39 AM
HI ,
It seems that the packets are not getting encrypted from the ASA itself as you are only seeing decrypts counts but no encrypt count!
The issue is likely to be with Routing or NAT-ing on the ASA
Just do a packet tracer from any internal ip to the VPN pool IP and checdk where the packet is getting dropped?
packet-tracer input inside icmp 192.168.1.x 0 8 192.168.2.x det
paste the output of this command or you can also do it from GUI??
Thanks,
Pradhuman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: