I have cisco vpn client loaded onto my laptop which allows me to connect to my office LAN from any location. This works fine and enalbes me to access Exchange server and other LAN resources. However, if I try to connect from home to my office LAN using the vpn client I have problems. The vpn client connects ok and authenticates but I cannot access Exchange server or any other resources. Ping does not work either. At home I have a PIX501 connected to a cable modem. Internet access from home LAN works fine. Any help greatly received.
2.) Try : fixup protocol esp-ike on the home PIX 501.
2.) Could be a NAT Traversal issue.
Note that NAT Traversal is configured on the VPN Server not at home.
isakmp nat-traversal 20
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.
To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.
I have exactly the same problem with my pix501. fixup esp-ike is on. nat traversal is on my pix, I will check to see if it is on the company's ASA. But, the interesting thing is - I also have Motorola router/firewall at home where I can just put a check mark in IPSEC VPN passthrough and same PC with Cisco VPN client works fine: terminates the VPN tunnel and I can ping and access everything on company LAN. PIX501 is on 6.3(5).
Can you post the contents of the log window from the VPN client?
If the client connects fully and transmits traffic across the tunnel but no traffic flows back from the far end of the tunnel then it would be a config problem at the remote end.
Check the status, statistics window, that will show if traffic is flowing in both directions.
There is no traffic flowing back. The statistics show lots of traffic sent by none received. I know you say that the problem could at the remote end (ie: Office LAN)but the strange thing is that the VPN client works from pretty much anywhere else I go except home.
In that case it could be the PIX blocking the return traffic. Do you have any inspection groups set on the PIX?
If you do not already have the following commands can you add them please and then try again.
same-security-traffic permit inter-interface
sysopt connection permit-ipsec
They will allow inter-interface traffic and mark all ipsec traffic as trusted. This allows it to bypass any access-lists and be dealt with by the crypto engine. If it doesn't match it is dropped.
Tried adding the above commands. The "same-security-traffic permit inter-interface" command wasn't accepted.
The sysopt command was accepted but still get no traffic received