Cisco ASA - Remote Access VPN: Can't access RA clients from ASA

Ashley Sahonta · ‎01-10-2015

I have a Cisco ASA configured with remote access VPN configured, using the IPSec client (v4). The clients authenticate using RADIUS and can access internal resources fine. The current issue I am facing is that I am not able to connect to the remote access clients, whether from the ASA (sourced from inside interface) or from the internal network.

I decided to setup an additional RA VPN profile, but only difference being is that it is using the local DB for authentication and I can ping clients.

I enabled a packet capture on the inside interface for any packets destined to the subnet of the remote access pool and shows a packet count of zero.

I have also carried out a packet tracer using both an internal IP and the inside interface of the ASA and I am getting different output - when using internal IP the flow is permitted and shows as matching against the correct NAT statements, etc. When I use the ASA inside interface, it displays that the flow is dropped by a configured ACL.

Does anyone have any suggestions on what may be causing this?

Ashley Sahonta · ‎01-12-2015

Anyone?

Poonam Garg · ‎01-24-2015

Hi Ashley,

IPSec RA vpn need to be initiated by VPN client only. Once tunnel is established then only it work bidirectionally.

Please check if you have enabled reverse route injection on ASA.

Julio Carvajal · ‎01-12-2015

Hello,

I would start by checking the Tunnel-Group, Policy-Group and VPN Split Tunnel Policy (if any) as well as the NAT rules.

Afterwards I can proceed to ask for the packet-captures that I need.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://i-networks.us

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC