Only single IP can connect to resources behind VPN
Clients from a small remote office are connecting to a VPN provided by a PIX 515 using Cisco VPN Clients.
The users are locked down to accesing a single machine behind the VPN. This has been working for years. Monday users at the remote office reported that only one user could access the server. After troubleshooting it was determined that only one IP from the remote office can connect. Not only 1 ip at a time, but a single IP. If another user at the office puts that IP on his computer he can now access the server behind the VPN.
All clients connect ok, but for some reason only this IP can traverse the VPN.
During debugging show ipsec is showing the users that are not working are having problem decrypting packets
Re: Only single IP can connect to resources behind VPN
Can you provide the show ipsec statistics of both the client and the pix.
If the client show encrypt, and no decrypt, and if the pix do not show both encrypt and decrypt, and the connection is native ipsec (not using nat transparency), then it is likely that esp (protocol 50) is being filtered for the specific problem ip addreses.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...