I have set up a remote access VPN between a Cisco ASA 5510 and a remote access client. The VPN successfully connects, but no network traffic is able to be passed. I have attached my configuration. Any help would be greatly appreciated.
Solved! Go to Solution.
Your access-list for Inside_nat0_outbound, should be
access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0
Let me know if it helps.
What is the IP Address that you are trying to access after establishing the tunnel.
Also, did you do a clear xlate after changing the nat 0 access-list. If you are still having issues, could you post the output of "show crypto ipsec sa" once the tunnel is established and you try to access the internal hosts.
I have tried to access 172.16.1.2 via ping, 172.16.1.51\cdrive, a shared resource. I have also tried to access the same resources using the 10.0.0.0 ip scheme. No luck. I did do a clear xlate after changing the access-list. I have attached the output for "show crypto ipsec sa" after attempting to access the hosts. (I have x'ed the public ips).
Looking at the IPSEC SA, the IPSEC packets are not even making it to the ASA.
What is the internet gateway @ the location from where you are doing this testing and is your PC IP Address getting a Static Public IP Address when traffic is destined to the internet or is it Port Address Translated.
And also, what option are you using to connect to the VPN Server. Is it IPSEC, IPSEC Over UDP or IPSEC Over TCP.
If you are using IPSEC, then UDP Port 500 and Protocol 50 (ESP) are used to build the tunnel and encrypt the packets. So, if your office is set up for PATing your IP, then this set up will not work. Since Port Address Translation does not understand Protocol and your IPSEC packets will get dropped at the PATing Device.
Also, look at the statistics under VPN Client and see if the packets are getting encrypted. If you see encrypted packets counters getting increased, then you know that the encrypted packets are leaving the PC but getting dropped somewhere in between the VPN Client and ASA.
I hope it helps.
Thanks for the info. You are correct. The issue was that I was PATing my IP and therefore needed to add one more command to my configuration as follows:
isakmp nat-traversal 20
This is now allowing the traffic to pass over the PAT.
Thanks for all the help.
I've been looking at ASA Dialup VPNs for over a week now, used Netscreens before - much nicer.
What messages are you getting in the ASDM log?
These are usually a good place to start.