cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1993
Views
0
Helpful
3
Replies

[solved] esp packets doesn't return to remote access client behind an asa firewall.

aaltamirano
Level 1
Level 1

Hi,

We're having some troubles with VPN users behind an ASA5520 fw.

Topology is someting like this:

Usr --- |ASA5520| ------> |cloud| ------|ASA5550-VPN|----|resources|


- The user do connect to the net and he starts browsing and using services.
- The user starts an ipsec tunnel with Cisco VPN client
- He lost conectivity to anywhere. User is virtually unconnected.

We made a test with this topology:


Usr ---------> |cloud| ------|ASA5550|----|resources|


And VPN goes fine. Everything works.


So, to find out what can be the problem, we captured packages on both ASA.
Packet from the user come through the 5520 and go to 5550.
Next, packets returns from ASA5550 to ASA5520, but they doesn't go to the client.


If a take a look to the logs, it shows that ASA5520 is dropping ESP packets that came from ASA5550 by the default deny rule (the last one):


%ASA-6-106100:  access-list access-outside-in denied 50 outside/1.2.3.4(0) -> inside/1.2.5.23(0) hit-cnt 1


So, we put a rule in the outside iface of the 5520 that let pacjets pass and now they go to the user and everything works fine.


The problem is that we can't start writing access rules that permit ESP traffic for any IPSec tunnel server that is outside the 5520

---

Regards,

Andres.

3 Replies 3

Todd Pula
Level 7
Level 7

If you do a "sh run all sysopt", do you see the "sysopt connection permit-vpn" command enabled?  This command will prevent you from having to explicitly permit the VPN related protocols through an inbound ACL on the outside of your ASA5520.

Thanks, it's enabled.

aaltamirano
Level 1
Level 1

Finally, i found a possible solution.

I enabled ipsec-pass-through inspection on a service policy and now VPN tunnels works ok.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: