Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
3
Replies

Cisco ASA - Remote Access VPN: Can't access RA clients from ASA

Ashley Sahonta
Level 1
Level 1

‎01-10-2015 04:54 PM - edited ‎02-21-2020 08:01 PM

I have a Cisco ASA configured with remote access VPN configured, using the IPSec client (v4). The clients authenticate using RADIUS and can access internal resources fine. The current issue I am facing is that I am not able to connect to the remote access clients, whether from the ASA (sourced from inside interface) or from the internal network.

I decided to setup an additional RA VPN profile, but only difference being is that it is using the local DB for authentication and I can ping clients.

I enabled a packet capture on the inside interface for any packets destined to the subnet of the remote access pool and shows a packet count of zero.

I have also carried out a packet tracer using both an internal IP and the inside interface of the ASA and I am getting different output - when using internal IP the flow is permitted and shows as matching against the correct NAT statements, etc. When I use the ASA inside interface, it displays that the flow is dropped by a configured ACL.

Does anyone have any suggestions on what may be causing this?

Labels:
0 Helpful
3 Replies 3

Ashley Sahonta
Level 1
Level 1

‎01-12-2015 08:54 AM

Anyone?

0 Helpful

Poonam Garg
Level 3
Level 3
In response to Ashley Sahonta

‎01-24-2015 08:27 AM

Hi Ashley,

IPSec RA vpn need to be initiated by VPN client only. Once tunnel is established then only it work bidirectionally.

 

Please check if you have enabled reverse route injection on ASA.

 

 

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-12-2015 06:20 PM

Hello,

 

I would start by checking the Tunnel-Group, Policy-Group and VPN Split Tunnel Policy (if any) as well as the NAT rules.

 

Afterwards I can proceed to ask for the packet-captures that I need.

Regards,

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://i-networks.us

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents