I have a ASA 5505 configured as a VPN server, when connecting the connection is successful, however the remote users are unable to access the hosts on the LAN behind the ASA. Please find my config below and any help would be greatly appreciated.
Let's assume you have IPsec SAs establishes cusessfully.
Most common reasons: NAT-T not enabled, ESP blocked, routing issues for the VPN packets
or acls somewhere on the end-to-end path blocking packets.
You have at least three networks on the "inside":
196.0.x0.0/24, 10.129.0.0/24 and 10.140.0.0/24
There is also another Layer 3 device involved, which routes the 10.x.x.x networks.
Do you have a matching route for the vpn-clients on that device so that VPN return-traffic
arrives on the ASA?
verify routing on the client (secured routes should either be 0.0.0.0/0.0.0.0 or the
internal network(s), depending on your split tunnel settings) and verify routing on the ASA side
(hosts on the asa side, the layer 3-device, hosts on the10.x.x.x networks):
verify packets encrypted/decrypted (in this example packets are sent to the tunnel but nothing returns):
compare these numbers with the ipsec sa on the ASA (Show crypto ipsec sa):
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 In this example the ASA decrypts packets but returns nothing.
The two examples combined could point to a routing issue or something NAT resp acl related on the ASA side: packets from the client are sent to the tunnel, will be encrypted, recieved by the asa, decrytped and then we don't know for sure.
Here's where troubleshooting starts:
do you see an established connection on the ASA for the vpn?
do see a translation for that connection?
do see packets on the internal host?
do you see packets returned from the internal host?
do you see packets dropped by an acl?
Find trouble shooting strategies for other scenarios:
client packets encrypted 0, decrypted 0
asa packets encrypted 0, decrypted 0
personal firewall? client routing issue (dos command netstat -r)?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...