Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Remote VPN Problem

I am having trouble getting to host(s) on my inside network via remote vpn. I can successfully connect to the ASA using cisco client, but I cannot ping or connect to any devices on my inside network. When I ssh to the ASA I can ping the hosts on the inside network and the hosts on the outside (VPN) network. I've setup remote vpn via ASDM wizard before, but have not encountered this problem. Any help would be appreciated. I have attached my config.

Thanks

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 5505 Remote VPN Problem

Kevin,

This confirms that there is nothing wrong with the configuration on the ASA. Are you using IPSEC Over UDP, can you make sure that nat-t is enabled.

crypto isakmp nat-traversal

Also, can you provide some information on how the Client is getting connected to the internet. Is there a firewall that is blocking any traffic.

Regards,

Arul

** Please rate all helpful posts **

9 REPLIES
Cisco Employee

Re: ASA 5505 Remote VPN Problem

You need to apply NAT 0 to by pass NAT for VPN Client pool of IP Addresses. I see an ACL Configured but not applied. What you need is,

nat (inside) 0 inside_nat0_outbound

Please configure this and let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: ASA 5505 Remote VPN Problem

Thank you for your reply. That did not fix it. I'm not even seeing any hitcounts on my ACL's.

I did the following command

MehASA(config)# nat (inside) 0 access-list inside_nat0_outbound

MehASA(config)# sho access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list Test_VPN_splitTunnelAcl; 1 elements

access-list Test_VPN_splitTunnelAcl line 1 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0x85f9e2ff

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x94bd01e3

Cisco Employee

Re: ASA 5505 Remote VPN Problem

So, you are getting connected but not able to access the LAN. What is the IP Address that you are trying to ping from the VPN Client.

Also, can you post the output of "Show cry is sa" and "Show cry ipsec sa" when you are VPNed in and trying to access to the LAN.

Also, did you get a chance to do a "clear xlate" after you configured the NAT 0 statement.

Regards,

Arul

New Member

Re: ASA 5505 Remote VPN Problem

I did a clear xlate and it didnt' change anything. I'm trying to connect to 192.168.1.111 Here is the output from the commands:

MehASA(config)# sho cry is sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 170.163.152.43

Type : user Role : responder

Rekey : no State : AM_ACTIVE

MehASA(config)# sho cry ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 67.87.102.24

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)

current_peer: 170.163.152.43, username: test_user

dynamic allocated peer ip: 192.168.100.1

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 67.87.102.24, remote crypto endpt.: 170.163.152.43

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 9F034A2E

inbound esp sas:

spi: 0xF2FE6308 (4076757768)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 28672, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28758

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x9F034A2E (2667792942)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 28672, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28758

IV size: 16 bytes

replay detection support: Y

thanks again for your help

Cisco Employee

Re: ASA 5505 Remote VPN Problem

Thanks for the outputs! Based on the show commands, the ASA is encrypting and decrypting traffic. So, chances are that the ASA is sending the traffic back to the VPN Client and is getting dropped somewhere in between.

On the VPN Client, under statistics, do you see packets encrypted and decrypted or only encrypted. How is the VPN Client connected to the internet. Can you use a dial up and test this just to make sure that we rule out the configuration on the ASA.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: ASA 5505 Remote VPN Problem

I did a ping -t to a host on my LAN that I know is up (pinged from ASA) for 30 seconds and this is what my stats look like

Encrypted 13

Decrypted 0

Discarded 3

Bypassed 820

Cisco Employee

Re: ASA 5505 Remote VPN Problem

Kevin,

This confirms that there is nothing wrong with the configuration on the ASA. Are you using IPSEC Over UDP, can you make sure that nat-t is enabled.

crypto isakmp nat-traversal

Also, can you provide some information on how the Client is getting connected to the internet. Is there a firewall that is blocking any traffic.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: ASA 5505 Remote VPN Problem

That did it!!

Thank you.

Any idea why that was disabled??

Cisco Employee

Re: ASA 5505 Remote VPN Problem

Great! Thanks for the rating :-) Appreciate that.

"isakmp nat-traversal" is disabled by default and that is the reason we did not see it in the configuration. Please refer the below documentation for details:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1645570

Regards,

Arul

** Please rate all helpful posts **

155
Views
5
Helpful
9
Replies