[solved] esp packets doesn't return to remote access client behind an asa firewall.

Unanswered Question
Aug 10th, 2010
User Badges:


We're having some troubles with VPN users behind an ASA5520 fw.

Topology is someting like this:

Usr --- |ASA5520| ------> |cloud| ------|ASA5550-VPN|----|resources|

- The user do connect to the net and he starts browsing and using services.
- The user starts an ipsec tunnel with Cisco VPN client
- He lost conectivity to anywhere. User is virtually unconnected.

We made a test with this topology:

Usr ---------> |cloud| ------|ASA5550|----|resources|

And VPN goes fine. Everything works.

So, to find out what can be the problem, we captured packages on both ASA.
Packet from the user come through the 5520 and go to 5550.
Next, packets returns from ASA5550 to ASA5520, but they doesn't go to the client.

If a take a look to the logs, it shows that ASA5520 is dropping ESP packets that came from ASA5550 by the default deny rule (the last one):

%ASA-6-106100:  access-list access-outside-in denied 50 outside/ -> inside/ hit-cnt 1

So, we put a rule in the outside iface of the 5520 that let pacjets pass and now they go to the user and everything works fine.

The problem is that we can't start writing access rules that permit ESP traffic for any IPSec tunnel server that is outside the 5520




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Tue, 08/10/2010 - 14:41
User Badges:
  • Silver, 250 points or more

If you do a "sh run all sysopt", do you see the "sysopt connection permit-vpn" command enabled?  This command will prevent you from having to explicitly permit the VPN related protocols through an inbound ACL on the outside of your ASA5520.

aaltamirano Wed, 08/11/2010 - 15:37
User Badges:

Finally, i found a possible solution.

I enabled ipsec-pass-through inspection on a service policy and now VPN tunnels works ok.


This Discussion