Hi,

today i ran into a problem, of which I think that it is a ASA problem or bug. 

We have a customer who has an ASA 5505 from us. He has only a few clients on the inside network, using address range 192.168.168.0.

He needs also to manage some production analyzing tools in another company, where he builds up a tunnel via Shrewsoft VPN-Client and then connects to the remote host (192.168.0.10/24). A new interface is created by VPN-Client (192.168.46.1) and the routing on the client is set properly:

With the old Zyxel FW this was working without problems. Without firewall (tethering over mobile-phone) it's also working perfectly.

But when the client is connected to ASA, there is a problem:

The remote client, that needs to be managed (192.168.0.10) isn't reachable. There is nothing logged on ASA - because it's passing through the tunnel.

I have no access to the remote FW, but as it is working from every other network except the one behind ASA, i assume that the configuration should be ok there.

Things I've tried until now:

- permit ESP

- enable inspection for pptp and ipsec-pass-thru

- access-list in- & outbound: permit gre any any, permit tcp pptp any any -> even permit IP any any in&out didn't help

- client: deactivate Windows firewall

- client: Wireshark-capture on tunnel-interface -> when pinging the remote client IP, I only get the ARP request and reply, no ICMP is started

- client ARP table has the entry for 192.168.0.10 with MAC bb:bb:bb:bb:bb:00

- ASA has a default route outside and only 192.168.168.0/24 inside. 192.168.0.0/24 is not routed on the ASA.

Later, I also tried the same VPN-profile from our headquarters and detailed logging-server -> same issue, tunnel connection OK, but 192.168.0.10 not reachable. Logging doen't show any permit/deny. Connecting over mobile connection (not going over ASA) -> tunnel ok, ping & RDP ok.

I would be thankful for any kind of solution!

Thanks in advance,

Amir