cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
4
Helpful
3
Replies

Remote access VPN Issue

David.Pellat
Beginner
Beginner

Hi, We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.

We have 1 customer that we have some issues with. We can connect  from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. ANy ideas what could cause this issue?

  Below is a copy of the config:


interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.201 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!

object-group network Offsite-Authorised-VPNPoints
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x  255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255

object-group network Onsite-Authorised-VPNPoints
network-object 192.168.3.0 255.255.255.0
object-group service VPNports
service-object udp eq isakmp
service-object tcp eq 10000
service-object udp eq 4500
service-object gre
service-object esp
service-object tcp eq pptp

access-list INSIDE extended permit tcp 192.168.3.0 255.255.255.0 host 4.35.174.43 eq 445
access-list INSIDE extended deny object-group Blocked-MS-ports any any
access-list INSIDE extended permit object-group VPNports object-group Onsite-Authorised-VPNPoints object-group Offsite-Authorised-VPNPoints
access-list INSIDE extended permit tcp object-group Outbound-SMTP-Servers any eq smtp
access-list INSIDE extended deny tcp 192.168.3.0 255.255.255.0 any eq smtp
access-list INSIDE extended permit ip 192.168.3.0 255.255.255.0 any
access-list INSIDE extended deny ip any any

global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
static (outside,inside) tcp 192.168.3.177 www 0.0.0.0 8800 netmask 255.255.255.255
static (inside,outside) 203.x.x.x 192.168.3.204 netmask 255.255.255.255 dns
static (inside,outside) 203.x.x.x 192.168.3.207 netmask 255.255.255.255 dns
static (inside,outside) 203.x.x.x 192.168.3.118 netmask 255.255.255.255 dns
static (inside,outside) 203.x.x.x 192.168.3.52 netmask 255.255.255.255 dns
access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1

crypto isakmp nat-traversal 30

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 1024
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect pptp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect tftp
  inspect ipsec-pass-thru
!

3 REPLIES 3

Jennifer Halim
Cisco Employee
Cisco Employee

Most likely the VPN server has not had NAT-T enabled, hence it is using ESP packet for Phase 2.

When you are connecting from the outside, it doesn't go through a PAT device, hence it works just fine.

Find out if NAT-T is enabled on the VPN server and enable it.

Scott Conklin
Beginner
Beginner

Another possibility is that, since you say that this remote access connection works fine for other customers, it is possible that your local LAN subnet is the same as the remote end LAN Subnet, for example if your LAN is 10.1.1.0/24, and the remote LAN is the same, when you connect via VPN Client, when you attempt to access resources on the remote LAN, your local machine thinks you are trying to access resources on your local subnet, so it never makes it over the RA VPN tunnel.  This would explain it working from a public Internet connection, but not within your office.

I did think of this and got it checked. Thansk

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: