Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
5
Replies

Cisco VPN Client to ASA 5505 with Cisco 1841 Router

Go to solution
tkatsiaounis
Level 1
Level 1

‎02-26-2009 07:05 AM

Hello. I am trying to make a connection betweena a cisco vpn client software and a vpn server on an asa 5505 behind a 1841 router (internet adsl2+ and NAT router).

My topology is almost as follows

client-----tunnel-----1841---ASA---PC's

ASA is the vpn termination device (outside interface). I forward port 500 and 4500 udp on my router to the ASA and the tunnel comes up.I have exempted nat'ting both on the asa and the router for the ip's in the vpn dhcp pool.I can connect to my tunnel but i cannot "see" anything in the internal network.I have permitted all traffic from the outside to the inside sourcing from the vpn ip pool and still i send packages through the tunnel and i get nothing.I take a look at the statistics on the vpn client and i have 2597 bytes out (ping traffic) and there are no bytes in.Any idea?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7
In response to tkatsiaounis

‎02-26-2009 11:55 AM

Where you connected when you took the "show crypto ipsec sa"? if not then try it again, also this option enables IPSEC over UDP 4500 and it is disabled, please enable it

crypto isakmp nat-traversal

Just enter the command as it is, then try to connect again after enabling this option and get the same show output.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-26-2009 08:36 AM

Depending of the version of ASA version you have NAT-T will be enabled or not, if you are running 8.0.4 then it should, if not then try to enable it. Also please get the show run and the show crypto ipsec sa from your ASA and post it here. When your client is connected please check whether transparent tunneling is active and what port is it working on?

0 Helpful

Go to solution
tkatsiaounis
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 11:48 AM

You can find the sh run output attached.As for ipsec sa's it says there are no sa'a.

Preview file
6 KB
0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7
In response to tkatsiaounis

‎02-26-2009 11:55 AM

Where you connected when you took the "show crypto ipsec sa"? if not then try it again, also this option enables IPSEC over UDP 4500 and it is disabled, please enable it

crypto isakmp nat-traversal

Just enter the command as it is, then try to connect again after enabling this option and get the same show output.

0 Helpful

Go to solution
tkatsiaounis
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 12:28 PM

crypto isakmp nat-traversal

Had done the "dirty" job.It pings and works fine now.Thanks a lot.

0 Helpful

Go to solution
auraza
Cisco Employee
Cisco Employee

‎02-26-2009 12:06 PM

Enable 'management-access inside' on the ASA, and see if you can ping the inside interface of the ASA.

Is the ASA the default gateway for your internal devices? Is the ASA's internal interface on the same network that you are trying to get to?

Please enable logging:

logging buffered 6

Connect using the VPN client, then try accessing some resource. See if anything shows up in the log for denied traffic.

0 Helpful
Customers Also Viewed These Support Documents