Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2377
Views
0
Helpful
4
Replies

IPSEC VPN Remote Access Connects, but no traffic send/receive

rpmcgurn1234
Level 1
Level 1

‎11-26-2012 12:16 PM - edited ‎02-21-2020 06:30 PM

I've setup an IPSec Remote Access VPN using the wizard in ASDM on ASA 5510.  I created a new pool (10.10.225.0/24) and when client connects (either iPhone, Windows, OS X), authentication goes correctly and client is authenticated and assigned a proper IP address from the newly created pool.  Once connected however, client can not ping any inside resources, nor be pinged on it's VPN IP address from an inside resource either. 

When I go to the monitor area of ASDM, it shows the RAS client connected, but no packets tx/rx.  I've tried setting a route (0.0.0.0 0.0.0.0 10.10.200.4) but that still makes no difference.  I've done this several times before with different firewalls (ASA/PIX) and never had an issue.  Probably missing something very stupid.  Any config snippets I can supply that will make this easier to troubleshoot I'll be happy to supply.  Any insight to this is extremely appreciated.

Thanks in advance.                  

Labels:
0 Helpful
4 Replies 4

Javier Portuguez
Level 9
Level 9

‎11-26-2012 01:19 PM

Hi Ronan,

Please include:

show run tunnel--group

show run group-policy

show run nat

show run ip local pool

Please let me know the name of the specific connection profile you are connecting to.

HTH.

Please rate any helpful posts

0 Helpful

rpmcgurn1234
Level 1
Level 1
In response to Javier Portuguez

‎11-26-2012 01:56 PM

Thank you for the rapid response, here is the information requested.  I had to modify the config some to sterilize it a little but all routable IPs ought to be clear, xx1, xx2, xx3, xx4, etc.  I'm connecting to the outside" interface which is xx5.xx5.82.162.

I am trying to conect to remote@hcz

-------------------------------

tunnel-group:

tunnel-group xx1.xx1.62.172 type ipsec-l2l

tunnel-group xx1.xx1.62.172 ipsec-attributes

pre-shared-key *****

tunnel-group xx2.xx2.82.178 type ipsec-l2l

tunnel-group xx2.xx2.82.178 ipsec-attributes

pre-shared-key *****

tunnel-group xx3.xx3.254.210 type ipsec-l2l

tunnel-group xx3.xx3.254.210 ipsec-attributes

pre-shared-key *****

tunnel-group xx4.xx4.203.82 type ipsec-l2l

tunnel-group xx4.xx4.203.82 ipsec-attributes

pre-shared-key *****

tunnel-group

remote@hcz

type remote-access

tunnel-group

remote@hcz

general-attributes

address-pool 10.10.225.0

tunnel-group remote type remote-access

tunnel-group remote general-attributes

address-pool 10.10.225.0

default-group-policy remote

tunnel-group remote ipsec-attributes

pre-shared-key *****

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy remote internal

group-policy remote attributes

dns-server value 10.10.200.14 10.10.200.6

vpn-tunnel-protocol IPSec

default-domain value hczadmin

nat (outside) 0 access-list outside_nat0_outbound outside

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list nonatdmz

nat (dmz) 1 192.168.50.0 255.255.255.0

tunnel-group xx1.xx1.62.172 type ipsec-l2l
tunnel-group xx1.xx1.62.172 ipsec-attributes
pre-shared-key *****
tunnel-group xx2.xx2.82.178 type ipsec-l2l
tunnel-group xx2.xx2.82.178 ipsec-attributes
pre-shared-key *****
tunnel-group xx3.xx3.254.210 type ipsec-l2l
tunnel-group xx3.xx3.254.210 ipsec-attributes
pre-shared-key *****
tunnel-group xx4.xx4.203.82 type ipsec-l2l
tunnel-group xx4.xx4.203.82 ipsec-attributes
pre-shared-key *****
tunnel-group remote@hcz type remote-access
tunnel-group remote@hcz general-attributes
address-pool 10.10.225.0
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool 10.10.225.0
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *****

------------------------

group-policy:

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy remote internal
group-policy remote attributes
dns-server value 10.10.200.14 10.10.200.6
vpn-tunnel-protocol IPSec
default-domain value hczadmin

-----------------------------

nat:

nat (outside) 0 access-list outside_nat0_outbound outside
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonatdmz
nat (dmz) 1 192.168.50.0 255.255.255.0

--------------------------------

ip local pool:

ip local pool 10.10.225.0 10.10.225.11-10.10.225.20 mask 255.255.255.0

0 Helpful

rpmcgurn1234
Level 1
Level 1
In response to Javier Portuguez

‎11-29-2012 05:13 AM

Any thoughts?  Additional info needed?  Thanks again!

0 Helpful

Peter Koltl
Level 7
Level 7
In response to rpmcgurn1234

‎11-29-2012 10:44 PM

Check the nonat ACL to include LAN-to-VPNclient traffic.

0 Helpful
Customers Also Viewed These Support Documents