https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324959#M764272 <HTML><HEAD></HEAD><BODY><P>Please get the show service-policy and the logs when the client is trying to pass traffic.</P></BODY></HTML> Wed, 28 Oct 2009 21:40:45 GMT Ivan Martinon 2009-10-28T21:40:45Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324956#M764269 <P>We are trying to establish vpn connection using cisco vpn client on laptop to a vpn concentrator in a remote office. All network devices are in the same private network. There is a Cisco ASA 5505 firewall sitting between VPN client and VPN Concentrator. IPSec over TCP &amp; IPSec over UDP works fine. But plain IPsec will not work. We will be able to establish connection with plain IPSec but can't access resources behind the VPN concentrator. I am attaching the config Cisco ASA firewall for your reference. Please let me know what I am missing.</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 16:33:14 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324956#M764269 dharmendra2shah 2019-03-11T16:33:14Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324957#M764270 <HTML><HEAD></HEAD><BODY><P>Try getting rid of the global defined on your config and disable nat-control, also just remember that ipsec pass through is only applicable for one to one translations, since your static is in place this should work ok. Try that and let us know.</P><P></P></BODY></HTML> Wed, 28 Oct 2009 21:22:42 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324957#M764270 Ivan Martinon 2009-10-28T21:22:42Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324958#M764271 <HTML><HEAD></HEAD><BODY><P>Imartino,</P><P></P><P>I got rid of those 2 commands using:</P><P></P><P>no global (outside) 1 interface</P><P>no nat-control</P><P></P><P>But still the same problem.</P></BODY></HTML> Wed, 28 Oct 2009 21:36:58 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324958#M764271 dharmendra2shah 2009-10-28T21:36:58Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324959#M764272 <HTML><HEAD></HEAD><BODY><P>Please get the show service-policy and the logs when the client is trying to pass traffic.</P></BODY></HTML> Wed, 28 Oct 2009 21:40:45 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324959#M764272 Ivan Martinon 2009-10-28T21:40:45Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324960#M764273 <HTML><HEAD></HEAD><BODY><P>Result of the command: "show service-policy"</P><P></P><P>Interface outside:</P><P> Service-policy: test-udp-policy</P><P> Class-map: test-udp-class</P><P> Inspect: ipsec-pass-thru pol-type1, packet 42, drop 0, reset-drop 0</P><P></P><P></P><P>Result of the command: "show conn"</P><P></P><P>9 in use, 12 most used</P><P>AH outside 0.0.0.0 inside 0.0.0.0, idle 0:11:52, bytes 0</P><P>ESP outside 0.0.0.0 inside 0.0.0.0, idle 0:11:52, bytes 0</P><P>ESP outside 192.168.34.7 inside 10.47.200.5, idle 0:01:01, bytes 12592</P><P>AH outside 192.168.34.7 inside 10.47.200.5, idle 0:11:52, bytes 0</P><P>ESP outside 192.168.34.7 inside 10.47.200.5, idle 0:11:52, bytes 0</P><P>UDP outside 192.168.34.7:500 inside 10.47.200.5:500, idle 0:01:01, bytes 3431, flags -</P></BODY></HTML> Wed, 28 Oct 2009 21:45:11 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324960#M764273 dharmendra2shah 2009-10-28T21:45:11Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324961#M764274 <HTML><HEAD></HEAD><BODY><P>Do you get any drops on the logs?</P></BODY></HTML> Wed, 28 Oct 2009 21:46:35 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324961#M764274 Ivan Martinon 2009-10-28T21:46:35Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324962#M764275 <HTML><HEAD></HEAD><BODY><P>No I don't see any drops on the log. This problem is killing me. I thought it would be simple.</P></BODY></HTML> Wed, 28 Oct 2009 21:49:00 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324962#M764275 dharmendra2shah 2009-10-28T21:49:00Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324963#M764276 <HTML><HEAD></HEAD><BODY><P>Can you change the acess-list to include IP rather than udp.</P></BODY></HTML> Wed, 28 Oct 2009 21:50:31 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324963#M764276 Ivan Martinon 2009-10-28T21:50:31Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324964#M764278 <HTML><HEAD></HEAD><BODY><P>I allowed ip traffic instead of udp. Still no success.</P></BODY></HTML> Wed, 28 Oct 2009 23:55:35 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324964#M764278 dharmendra2shah 2009-10-28T23:55:35Z https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324965#M764279 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Could you connect your laptop to the outside network and ensure that it's working without passing through ASA ?</P><P></P><P>1. with the no nat-control you don't need the static statement, so can you remove it also.</P><P></P><P>2.in second test if you keep the static Identity, use nat exemption instead (I already experienced problem related to that).</P><P> </P><P></P><P>Regards</P></BODY></HTML> Thu, 29 Oct 2009 02:30:02 GMT https://community.cisco.com/t5/network-security/allow-ipsec-traffic/m-p/1324965#M764279 Amadou TOURE 2009-10-29T02:30:02Z