10-04-2010 06:30 AM - edited 03-11-2019 11:49 AM
Hello Everyone...!
I have a Cisco ASA running IOS Version 8.0(4) everyone in my company connects good throug the VPN Clients connect, but they don´t have routing.
I´m wondering why the connnect to the VPN and then don´t have any traffic inside.
Need some tips..
10-04-2010 09:22 AM
try the following
icmp permit any inside
i see you have logging buffered deb thats good
clear logging buffered
managemant-access inside
from the client
ping insid einterface ip
show logg | in
10-04-2010 09:23 AM
also once you are connectde through the vpn
give show route command and verify that you see a static route to the vpn cient ip pointing to outside interface
10-04-2010 09:32 AM
Nothing Happen with this...
Fw(config)# icmp permit any inside
Fw(config)# sh logg | in 10.XX.XX.0
But no output
10-04-2010 09:35 AM
Fw(config)# sh logg | in 10.XX.XX.0
thios would be incorrect
Fw(config)# sh logg | in 10.XX.XX.13 something like this or just leave it at xx do not enter the last octet
10-04-2010 09:23 AM
10-04-2010 09:41 AM
Hi ,
Thanks a ton for the outputs. It clearly shows from the statistics on the VPN Client and the outputs on the ASA that the ASA is receiving the packets across the tunnel decrypting but the replies are not being encrypted. Please paste the output of the following command
packet-tracer input inside icmp
Thanks,
Namit
10-04-2010 10:20 AM
10-04-2010 04:56 PM
as the packet tracer says it being dropped in nat rules
please past eyour nat rules
show run nat
show run global
sh run static
sh access-list
10-04-2010 10:04 PM
Hi ,
Do your remote pool subnet and the subnet for the internal network for the ASA overlap ? I mean is it something like that the remote pool is 192.168.1.1-192.168.1.25 and the internal subnet on the ASA is 192.168.1.0/24.
Thanks,
Namit
10-05-2010 08:08 AM
After a while of troubleshooting with my networking team, we found that the packet is drop it at the end .
Now we need to find out why is doing that.
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
10-05-2010 08:14 AM
did you make any changes to the rules in firewall bcoz i see the packet tracer outputs look to be different
also have you verifed that the vpn pool ip and the internal network ip do not overlap
10-05-2010 09:28 AM
no i didnt a change...anything I will delete the conection profile and I will doit again.
10-05-2010 01:23 PM
How Come...!!!! This is a Black Magic...!!!!!!
I made a fullbackup of JUN2010 and the problem persist.....!!! What!!!!!!!
10-13-2010 01:30 PM
FOR THE RECORDS HERE IS THE ANSWER.....!!!!
I made a new IP-Pool with a diferent network avoiding use the same IP Addressing of my Inside Network and applying it to the Group Policy. This is the only change that i made to the firewall.
In the Core SW I made a static route of the new network with the Inside Firewall Interface as a gateway of the last resort.
and Done it works!!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: