Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Hosts on corporate network unable to connect to VPN client

I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.

This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.

Can anyone explain what's wrong or where I should look?

2 REPLIES

Re: Hosts on corporate network unable to connect to VPN client

Alan,

I would check to see if the VPN client has "Statefull Firewall (always on)" enbabled....as this will not allow any "inbound connections" not initiated by the client?

I would also check your no-nat rules, and make sure you have your "internal IP subents" exempt from natting to the VPN Subent?

HTH.

Community Member

Re: Hosts on corporate network unable to connect to VPN client

Thanks for the feedback.

The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.

The "no-nat" rules on the 5505 look like this:

access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

137
Views
0
Helpful
2
Replies
CreatePlease to create content