i configured an ASA for VPN client. The asa is behind a router that permits esp, udp 500 and udp 4500 for any.
The issue is: if i connect with the vpn client from my site (company) to the asa, i receive one of the atdresses configured (the vpn pool) and i can ping and telnet any host from the ASA's inside lan.
If i connect via a modem (3G) or from a virtual machine on my computer i can not ping or telnet to anything even if i receive the same ip from the pool. So the VPN client gets connected but i can not do anything in the ASA's inside network. More... if i look in the Statistics window in the vpn client it shows that it sends and encrypts packets, but does not receive and decrypts none. If i look in the ASA for sho cry ipsec sa for that peer it does not receive or send any packet.
Did you see this problem anywhere else? What could be wrong? In both situation the vpn client go to ASA with a public ip.
Enable "TCP Nat traversal" some providers do not like encrypted traffice to traverse their networks. once you enable it - normally port TCP 10000 - this can be defined, remember to allow that specific TCP port thru the router.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...