Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow IPSec Traffic

We are trying to establish vpn connection using cisco vpn client on laptop to a vpn concentrator in a remote office. All network devices are in the same private network. There is a Cisco ASA 5505 firewall sitting between VPN client and VPN Concentrator. IPSec over TCP & IPSec over UDP works fine. But plain IPsec will not work. We will be able to establish connection with plain IPSec but can't access resources behind the VPN concentrator. I am attaching the config Cisco ASA firewall for your reference. Please let me know what I am missing.

9 REPLIES

Re: Allow IPSec Traffic

Try getting rid of the global defined on your config and disable nat-control, also just remember that ipsec pass through is only applicable for one to one translations, since your static is in place this should work ok. Try that and let us know.

New Member

Re: Allow IPSec Traffic

Imartino,

I got rid of those 2 commands using:

no global (outside) 1 interface

no nat-control

But still the same problem.

Re: Allow IPSec Traffic

Please get the show service-policy and the logs when the client is trying to pass traffic.

New Member

Re: Allow IPSec Traffic

Result of the command: "show service-policy"

Interface outside:

Service-policy: test-udp-policy

Class-map: test-udp-class

Inspect: ipsec-pass-thru pol-type1, packet 42, drop 0, reset-drop 0

Result of the command: "show conn"

9 in use, 12 most used

AH outside 0.0.0.0 inside 0.0.0.0, idle 0:11:52, bytes 0

ESP outside 0.0.0.0 inside 0.0.0.0, idle 0:11:52, bytes 0

ESP outside 192.168.34.7 inside 10.47.200.5, idle 0:01:01, bytes 12592

AH outside 192.168.34.7 inside 10.47.200.5, idle 0:11:52, bytes 0

ESP outside 192.168.34.7 inside 10.47.200.5, idle 0:11:52, bytes 0

UDP outside 192.168.34.7:500 inside 10.47.200.5:500, idle 0:01:01, bytes 3431, flags -

Re: Allow IPSec Traffic

Do you get any drops on the logs?

New Member

Re: Allow IPSec Traffic

No I don't see any drops on the log. This problem is killing me. I thought it would be simple.

Re: Allow IPSec Traffic

Can you change the acess-list to include IP rather than udp.

New Member

Re: Allow IPSec Traffic

I allowed ip traffic instead of udp. Still no success.

New Member

Re: Allow IPSec Traffic

Hi,

Could you connect your laptop to the outside network and ensure that it's working without passing through ASA ?

1. with the no nat-control you don't need the static statement, so can you remove it also.

2.in second test if you keep the static Identity, use nat exemption instead (I already experienced problem related to that).

Regards

189
Views
0
Helpful
9
Replies
CreatePlease login to create content