08-10-2010 12:18 PM - edited 02-21-2020 04:47 PM
Hi,
We're having some troubles with VPN users behind an ASA5520 fw.
Topology is someting like this:
Usr --- |ASA5520| ------> |cloud| ------|ASA5550-VPN|----|resources|
- The user do connect to the net and he starts browsing and using services.
- The user starts an ipsec tunnel with Cisco VPN client
- He lost conectivity to anywhere. User is virtually unconnected.
We made a test with this topology:
Usr ---------> |cloud| ------|ASA5550|----|resources|
And VPN goes fine. Everything works.
So, to find out what can be the problem, we captured packages on both ASA.
Packet from the user come through the 5520 and go to 5550.
Next, packets returns from ASA5550 to ASA5520, but they doesn't go to the client.
If a take a look to the logs, it shows that ASA5520 is dropping ESP packets that came from ASA5550 by the default deny rule (the last one):
%ASA-6-106100: access-list access-outside-in denied 50 outside/1.2.3.4(0) -> inside/1.2.5.23(0) hit-cnt 1
So, we put a rule in the outside iface of the 5520 that let pacjets pass and now they go to the user and everything works fine.
The problem is that we can't start writing access rules that permit ESP traffic for any IPSec tunnel server that is outside the 5520
---
Regards,
Andres.
08-10-2010 02:41 PM
If you do a "sh run all sysopt", do you see the "sysopt connection permit-vpn" command enabled? This command will prevent you from having to explicitly permit the VPN related protocols through an inbound ACL on the outside of your ASA5520.
08-10-2010 02:55 PM
Thanks, it's enabled.
08-11-2010 03:37 PM
Finally, i found a possible solution.
I enabled ipsec-pass-through inspection on a service policy and now VPN tunnels works ok.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: