Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EasyVPN server-client, serverside-initated traffic wont work

Hej

I've configured an ASA5510 as a central Easu VPN-server. A home office user hasa a ASA5505 that is configured as a VPN Client (the vpnclient-commands). The tunnel works great, but there is an application that initiates TCP-sessions from the Hub-lan destinated to the computer at home, behind the ASA5505 VPN-client. And this traffic won't work. And Now I am uncertain. Should this work or not?

Topology: Central net: 172.17.1.0/24 and a few other 172.17.x.y-nets

Home-net: 172.18.8.0/28 (central ASA config prepared for more future home networks in the 172.18.8.0/24-range

Relevant server-side configuration:

access-list Inside_nat0_outbound extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0

access-list VPN5005_split_tunnel extended permit ip object-group Internal-network 172.17.8.0 255.255.255.0

nat (inside) 0 access-list Inside_nat0_outbound

crypto ipsec transform-set tset_VPN5005 esp-aes esp-sha-hmac

crypto dynamic-map dmap_VPN5005 5 set transform-set tset_VPN5005

crypto map Outside_map 100 ipsec-isakmp dynamic dmap_VPN5005

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

group-policy gp_VPN5005 internal

group-policy gp_VPN5005 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN5005_split_tunnel

nem enable

username VPN5005_user1 password password

tunnel-group tg_VPN5005 type ipsec-ra

tunnel-group tg_VPN5005 general-attributes

default-group-policy gp_VPN5005

tunnel-group tg_VPN5005 ipsec-attributes

pre-shared-key djhkj334kjhdkj3222

home-side configuration:

interface Vlan1

nameif inside

security-level 100

ip address 172.17.8.1 255.255.255.240

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient vpngroup tg_VPN5005 password djhkj334kjhdkj3222

vpnclient username VPN5005_user1 password password

vpnclient enable

So, an user behind the 5505 has IP 172.17.8.10. The computer has full connectivity to all central servers on the 172.17.1.0-net. However, a server needs to initiate a TCP-session to 172.17.8.10 and it won't work. Should it work? Or do we need a solution with a Lan-2-Lan-tunnel with static IP at home to get this thing working?

Thanks for all feedback!

/Jimmy

105
Views
0
Helpful
0
Replies