02-26-2009 07:05 AM
Hello. I am trying to make a connection betweena a cisco vpn client software and a vpn server on an asa 5505 behind a 1841 router (internet adsl2+ and NAT router).
My topology is almost as follows
client-----tunnel-----1841---ASA---PC's
ASA is the vpn termination device (outside interface). I forward port 500 and 4500 udp on my router to the ASA and the tunnel comes up.I have exempted nat'ting both on the asa and the router for the ip's in the vpn dhcp pool.I can connect to my tunnel but i cannot "see" anything in the internal network.I have permitted all traffic from the outside to the inside sourcing from the vpn ip pool and still i send packages through the tunnel and i get nothing.I take a look at the statistics on the vpn client and i have 2597 bytes out (ping traffic) and there are no bytes in.Any idea?
Solved! Go to Solution.
02-26-2009 11:55 AM
Where you connected when you took the "show crypto ipsec sa"? if not then try it again, also this option enables IPSEC over UDP 4500 and it is disabled, please enable it
crypto isakmp nat-traversal
Just enter the command as it is, then try to connect again after enabling this option and get the same show output.
02-26-2009 08:36 AM
Depending of the version of ASA version you have NAT-T will be enabled or not, if you are running 8.0.4 then it should, if not then try to enable it. Also please get the show run and the show crypto ipsec sa from your ASA and post it here. When your client is connected please check whether transparent tunneling is active and what port is it working on?
02-26-2009 11:48 AM
02-26-2009 11:55 AM
Where you connected when you took the "show crypto ipsec sa"? if not then try it again, also this option enables IPSEC over UDP 4500 and it is disabled, please enable it
crypto isakmp nat-traversal
Just enter the command as it is, then try to connect again after enabling this option and get the same show output.
02-26-2009 12:28 PM
crypto isakmp nat-traversal
Had done the "dirty" job.It pings and works fine now.Thanks a lot.
02-26-2009 12:06 PM
Enable 'management-access inside' on the ASA, and see if you can ping the inside interface of the ASA.
Is the ASA the default gateway for your internal devices? Is the ASA's internal interface on the same network that you are trying to get to?
Please enable logging:
logging buffered 6
Connect using the VPN client, then try accessing some resource. See if anything shows up in the log for denied traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide