https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804423#M530951 <HTML><HEAD></HEAD><BODY><P> I did think of this and got it checked. Thansk</P></BODY></HTML> Thu, 10 Nov 2011 22:29:06 GMT David.Pellat 2011-11-10T22:29:06Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804420#M530937 <P>Hi, We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.</P><P></P><P>We have 1 customer that we have some issues with. We can connect&nbsp; from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. ANy ideas what could cause this issue?</P><P></P><P>&nbsp; Below is a copy of the config:</P><P></P><P></P><P><BR />interface Vlan1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.3.201 255.255.255.0 <BR />!<BR />interface Vlan2<BR />nameif outside<BR />security-level 0<BR />ip address x.x.x.x 255.255.255.0 <BR />!</P><P>object-group network Offsite-Authorised-VPNPoints<BR />network-object x.x.x.x 255.255.255.255<BR />network-object x.x.x.x&nbsp; 255.255.255.255<BR />network-object x.x.x.x 255.255.255.255<BR />network-object x.x.x.x 255.255.255.255<BR />network-object x.x.x.x 255.255.255.255<BR />network-object x.x.x.x 255.255.255.255</P><P>object-group network Onsite-Authorised-VPNPoints<BR />network-object 192.168.3.0 255.255.255.0<BR />object-group service VPNports<BR />service-object udp eq isakmp <BR />service-object tcp eq 10000 <BR />service-object udp eq 4500 <BR />service-object gre <BR />service-object esp <BR />service-object tcp eq pptp </P><P>access-list INSIDE extended permit tcp 192.168.3.0 255.255.255.0 host 4.35.174.43 eq 445 <BR />access-list INSIDE extended deny object-group Blocked-MS-ports any any <BR />access-list INSIDE extended permit object-group VPNports object-group Onsite-Authorised-VPNPoints object-group Offsite-Authorised-VPNPoints <BR />access-list INSIDE extended permit tcp object-group Outbound-SMTP-Servers any eq smtp <BR />access-list INSIDE extended deny tcp 192.168.3.0 255.255.255.0 any eq smtp <BR />access-list INSIDE extended permit ip 192.168.3.0 255.255.255.0 any <BR />access-list INSIDE extended deny ip any any </P><P>global (outside) 1 interface<BR />nat (inside) 1 192.168.3.0 255.255.255.0<BR />static (outside,inside) tcp 192.168.3.177 www 0.0.0.0 8800 netmask 255.255.255.255 <BR />static (inside,outside) 203.x.x.x 192.168.3.204 netmask 255.255.255.255 dns <BR />static (inside,outside) 203.x.x.x 192.168.3.207 netmask 255.255.255.255 dns <BR />static (inside,outside) 203.x.x.x 192.168.3.118 netmask 255.255.255.255 dns <BR />static (inside,outside) 203.x.x.x 192.168.3.52 netmask 255.255.255.255 dns <BR />access-group INSIDE in interface inside<BR />access-group OUTSIDE in interface outside<BR />route outside 0.0.0.0 0.0.0.0 203.x.x.x 1</P><P>crypto isakmp nat-traversal 30</P><P>!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />&nbsp; message-length maximum 1024<BR />policy-map global_policy<BR />class inspection_default<BR />&nbsp; inspect dns preset_dns_map <BR />&nbsp; inspect pptp <BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect http <BR />&nbsp; inspect ils <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect sip&nbsp; <BR />&nbsp; inspect skinny&nbsp; <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect tftp <BR />&nbsp; inspect ipsec-pass-thru <BR />!</P> Mon, 11 Mar 2019 21:24:13 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804420#M530937 David.Pellat 2019-03-11T21:24:13Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804421#M530945 <HTML><HEAD></HEAD><BODY><P>Most likely the VPN server has not had NAT-T enabled, hence it is using ESP packet for Phase 2.</P><P>When you are connecting from the outside, it doesn't go through a PAT device, hence it works just fine.</P><P></P><P>Find out if NAT-T is enabled on the VPN server and enable it.</P></BODY></HTML> Wed, 14 Sep 2011 08:44:43 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804421#M530945 Jennifer Halim 2011-09-14T08:44:43Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804422#M530947 <HTML><HEAD></HEAD><BODY><P>Another possibility is that, since you say that this remote access connection works fine for other customers, it is possible that your local LAN subnet is the same as the remote end LAN Subnet, for example if your LAN is 10.1.1.0/24, and the remote LAN is the same, when you connect via VPN Client, when you attempt to access resources on the remote LAN, your local machine thinks you are trying to access resources on your local subnet, so it never makes it over the RA VPN tunnel.&nbsp; This would explain it working from a public Internet connection, but not within your office.</P></BODY></HTML> Wed, 14 Sep 2011 13:23:28 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804422#M530947 Scott Conklin 2011-09-14T13:23:28Z https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804423#M530951 <HTML><HEAD></HEAD><BODY><P> I did think of this and got it checked. Thansk</P></BODY></HTML> Thu, 10 Nov 2011 22:29:06 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-issue/m-p/1804423#M530951 David.Pellat 2011-11-10T22:29:06Z