Remote access VPN Issue

David.Pellat · ‎09-13-2011

Hi, We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.

We have 1 customer that we have some issues with. We can connect from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. ANy ideas what could cause this issue?

Below is a copy of the config:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.201 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!

object-group network Offsite-Authorised-VPNPoints
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255

object-group network Onsite-Authorised-VPNPoints
network-object 192.168.3.0 255.255.255.0
object-group service VPNports
service-object udp eq isakmp
service-object tcp eq 10000
service-object udp eq 4500
service-object gre
service-object esp
service-object tcp eq pptp

access-list INSIDE extended permit tcp 192.168.3.0 255.255.255.0 host 4.35.174.43 eq 445
access-list INSIDE extended deny object-group Blocked-MS-ports any any
access-list INSIDE extended permit object-group VPNports object-group Onsite-Authorised-VPNPoints object-group Offsite-Authorised-VPNPoints
access-list INSIDE extended permit tcp object-group Outbound-SMTP-Servers any eq smtp
access-list INSIDE extended deny tcp 192.168.3.0 255.255.255.0 any eq smtp
access-list INSIDE extended permit ip 192.168.3.0 255.255.255.0 any
access-list INSIDE extended deny ip any any

global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
static (outside,inside) tcp 192.168.3.177 www 0.0.0.0 8800 netmask 255.255.255.255
static (inside,outside) 203.x.x.x 192.168.3.204 netmask 255.255.255.255 dns
static (inside,outside) 203.x.x.x 192.168.3.207 netmask 255.255.255.255 dns
static (inside,outside) 203.x.x.x 192.168.3.118 netmask 255.255.255.255 dns
static (inside,outside) 203.x.x.x 192.168.3.52 netmask 255.255.255.255 dns
access-group INSIDE in interface inside
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1

crypto isakmp nat-traversal 30

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect pptp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
inspect ipsec-pass-thru
!

Jennifer Halim · ‎09-14-2011

Most likely the VPN server has not had NAT-T enabled, hence it is using ESP packet for Phase 2.

When you are connecting from the outside, it doesn't go through a PAT device, hence it works just fine.

Find out if NAT-T is enabled on the VPN server and enable it.

Scott Conklin · ‎09-14-2011

Another possibility is that, since you say that this remote access connection works fine for other customers, it is possible that your local LAN subnet is the same as the remote end LAN Subnet, for example if your LAN is 10.1.1.0/24, and the remote LAN is the same, when you connect via VPN Client, when you attempt to access resources on the remote LAN, your local machine thinks you are trying to access resources on your local subnet, so it never makes it over the RA VPN tunnel. This would explain it working from a public Internet connection, but not within your office.

David.Pellat · ‎11-10-2011

I did think of this and got it checked. Thansk