Cisco ASA5510 VPN problem

rgaasbeek · ‎10-11-2012

Hi,

This is my first time posting in this forum. I am having trouble getting Mac computers (my test is OSX 10.8.2) to properly connect to our company's VPN. We have a Cisco ASA5510 which handles the VPN requests. Here are some details:

--Windows computers, running Cisco VPN Client (not Anyconnect) are able to connect to the VPN and access internal computers/fileserver etc, just as we'd like them to.

--Mac's can establish a VPN connection, but cannot communicate with internal machines or servers. I cannot connect to or ping the fileserver using its IP address. I also cannot ping my personal work computer.

--BUT, from my work computer I CAN ping the Mac's ip address which it received after connecting via VPN. So, internal Windows PC can ping external VPN'd Mac, but Mac cannot ping internal Windows pc.

Using ASDM I was able to start up Packet Tracer. I had it trace a ping from the Windows machine address 192.168.0.52 /23 to the Mac's VPN address 192.168.5.33 /24. This was successful.

Using Packet Tracer to trace a ping from the Mac's VPN address of 192.168.5.33 /24 to the Windows address of 192.168.0.52 /23 is not successful. The packet goes through the following phases: "Capture", "Access-list", "Route-Lookup", "Access-List", "IP Options", "Inspect", "Inspect", "Debug-ICMP", "NAT-Exempt", until it reaches "NAT" where I get this message:

Type - NAT Action - Drop

Config

nat (inside1) 1 0.0.0.0 0.0.0.0

match ip inside1 any inside1 any

dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

translate_hits = 913403, untranslate_hits = 27

Result is the packet is dropped.

Info: (acl-drop) Flow is denied by configured rule

I'm not super familiar with ACL's so I am not sure what change I need to make to get this to work properly. I also find it strange that the Windows pc's using the Cisco client have no problem communicating internally after connecting, but Mac's using the Mac integrated Cisco IPSEC VPN are unsuccessful.

Any help would be greatly appreciated.

-Ramai

P.s. I included a screenshot of the Packet Tracer screen.

Javier Portuguez · ‎10-11-2012

Dear Ramai,

Could you please post the configuration of your FW (remove public IPs and DNS names).

Also, please specify the name of the connection profile you connect to from the Mac machines.

Thanks.

Portu.

Please rate any helpful posts.

rgaasbeek · ‎10-12-2012

Hi Portu,

Thank you for your reply.

I was not 100% sure what you had wanted me to post so I have attached a screenshot of the NAT Rules table and Access Rules table. I have removed any public IPs and replaced them with either ext. or external.

As far as your second request. I don't believe we use connection profiles (isn't that something for clientless VPN connections?). Our method is to create a user account on the ASA5510 and to log into the VPN using the account credentials that are created on the ASA.

I hope this was somewhat useful.

-Ramai

rgaasbeek · ‎10-15-2012

Anyone have any ideas for this problem? Please let me know if any additional information is required.

Thanks,

Ramai

kevin.haynes · ‎10-22-2012

I am having the same problem on a brand new 10.8.2 MacBook Pro. All my iOS devices connect and then resolve fine, but the MacBook connects but cannot resolve any internal servers. This seems to be an AnyConnect and OSX issue, not a problem with the ASA, but I am not an expert. Anybody have an upate?

Thank you - Kevin

Julio Carvajal · ‎10-22-2012

Hello Ramai,

From CLI

do show run nat

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rgaasbeek · ‎10-23-2012

@Kevin, I'm not using anyconnect for the problem I'm experiencing. I am using Mac's built in Cisco IPSEC VPN configuration.

To see where things are at now, please check out this thread:

https://supportforums.cisco.com/message/3765785#3765785