11-06-2009 09:45 AM
I am sure I am overlooking something very simple, so I am hoping for a second set of eyes that will clue me in on where I am going wrong.
Basically I have a cisco client remote accessing into a 5510. Authentication works fine, secured routes info show correctly in my client, client reports that traffic is being encrypted, but I can't access any of the resources over the tunnel. Attached is a file of the configuration and an output of a #sh crypto ipsec sa peer x.x.x.x command that shows traffic is not being passed. Thanks for the help in advance.
btw l2l configuration works fine.
Solved! Go to Solution.
11-06-2009 09:52 AM
I see (from your split tunnel acl) that you are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.
Other common causes:
-your internal routers may not have a route towards the ASA for the VPN client pool
-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients
-Configure split-dns under the group-policy for your internal domain names
-heather
11-06-2009 09:52 AM
I see (from your split tunnel acl) that you are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.
Other common causes:
-your internal routers may not have a route towards the ASA for the VPN client pool
-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients
-Configure split-dns under the group-policy for your internal domain names
-heather
11-06-2009 12:21 PM
Heather
Thanks for your input
The 2 users that were testing (myself and another coworker) were both behind nat devices. I thought cisco by default allowed nat-t over udp, but I guess not.
Adding the ipsec-udp enable under my group policy fixed my issue.
11-06-2009 12:41 PM
Traditional Nat-traversal (on UDP 4500) IS enabled by default on the ASA. You did not have nat-t disabled on the headend -- If you had it turned off manually you wouldve seen "no crypto isakmp nat-traversal" in your show run output.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2191067
Since you were not able to pass traffic with traditional NAT-T this leads me to believe something may have been blocking or dropping UDP 4500 along the path.
There are two other options for nat-traversal, one of which you discovered...
The "ipsec-udp" is another form of nat-traversal which operates on UDP 500. The port number cannot be changed.
There is a third option for nat-traversal enabled with "crypto isakmp ipsec-over-tcp" This allows nat-traversal on tcp 10000. You can change the port with "crypto isakmp ipsec-over-tcp port <#>"
-heather
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide