Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Remote network unreachable when using VPN client through ASA

Hi,

today i ran into a problem, of which I think that it is a ASA problem or bug. 

We have a customer who has an ASA 5505 from us. He has only a few clients on the inside network, using address range 192.168.168.0.

He needs also to manage some production analyzing tools in another company, where he builds up a tunnel via Shrewsoft VPN-Client and then connects to the remote host (192.168.0.10/24). A new interface is created by VPN-Client (192.168.46.1) and the routing on the client is set properly:

With the old Zyxel FW this was working without problems. Without firewall (tethering over mobile-phone) it's also working perfectly.

 

But when the client is connected to ASA, there is a problem:

The remote client, that needs to be managed (192.168.0.10) isn't reachable. There is nothing logged on ASA - because it's passing through the tunnel.

I have no access to the remote FW, but as it is working from every other network except the one behind ASA, i assume that the configuration should be ok there.

 

Things I've tried until now:

- permit ESP

- enable inspection for pptp and ipsec-pass-thru

- access-list in- & outbound: permit gre any any, permit tcp pptp any any -> even permit IP any any in&out didn't help

- client: deactivate Windows firewall

- client: Wireshark-capture on tunnel-interface -> when pinging the remote client IP, I only get the ARP request and reply, no ICMP is started

- client ARP table has the entry for 192.168.0.10 with MAC bb:bb:bb:bb:bb:00

- ASA has a default route outside and only 192.168.168.0/24 inside. 192.168.0.0/24 is not routed on the ASA.

 

Later, I also tried the same VPN-profile from our headquarters and detailed logging-server -> same issue, tunnel connection OK, but 192.168.0.10 not reachable. Logging doen't show any permit/deny. Connecting over mobile connection (not going over ASA) -> tunnel ok, ping & RDP ok.

 

 

I would be thankful for any kind of solution!

 

Thanks in advance,

Amir

 

 

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, Can you pull anykind of

Hi,

 

Can you pull anykind of statistics of the VPN Client software when the VPN connection is active to see if any traffic is encapsulated/encrypted?

 

Can you list the connections from the client PC on the ASA when the VPN connection is active?

 

show conn | inc 192.168.168.x

 

Have you enabled Transparent Tunneling (UDP/4500) on the Client software so that the VPN connection works through a Dynamic PAT translation that the local ASA is probably using for internal hosts connections to the Internet?

 

- Jouni

4 REPLIES
Super Bronze

Hi, Can you pull anykind of

Hi,

 

Can you pull anykind of statistics of the VPN Client software when the VPN connection is active to see if any traffic is encapsulated/encrypted?

 

Can you list the connections from the client PC on the ASA when the VPN connection is active?

 

show conn | inc 192.168.168.x

 

Have you enabled Transparent Tunneling (UDP/4500) on the Client software so that the VPN connection works through a Dynamic PAT translation that the local ASA is probably using for internal hosts connections to the Internet?

 

- Jouni

Community Member

Hi Jouni, a big Thanks to you

Hi Jouni,

 

a big Thanks to you!

It was the NAT-Traversal setting in the Shrewsoft-Client. As we always use cisco and have a default profile where it is always enabled, I didn't even think of that. 

 

BR
Amir

 

 

Community Member

Dear Amir,

Dear Amir,

Can you please provide what are the final settings need to be place and why?

Regards

Sena

Community Member

Hi,

Hi,

it was just the checkbox "enable NAT-Traversal" in the Shrewsoft Client Software. No changes on the FW necessary. Cisco VPN-Client/AnyConnect has this setting enabled by default, in Shrewsoft it isn't. 

BR,

Amir

1128
Views
0
Helpful
4
Replies
CreatePlease to create content