02-10-2013 02:59 PM - edited 02-21-2020 06:41 PM
This is probably a dumb question, but I am having trouble making my remote access vpn decrypt traffic. I am using an ASA5510 and the cisco 5.0 vpn client. I have no problem getting the tunnel to come up. But the "decrypted traffic" stays zero and the "discarded traffic" increments continuously.
Here is the ASA5510 crypto config:
OK I guess this site doesn't allow pasting text so I attached the config.
I am pretty sure that I can't pass traffic because I have not been able to figure out how to specify the interesting traffic for the vpn connection. Can someone please show me the syntax for this? It looks like it should be some kind of tunnel-group commands.
Am I the only one who thinks that the Cisco documentation is worthless on this subject? The ASA config guide gives you everything you need to set up a tunnel, but has absolutely nothing on the config required to actually pass traffic. That helps a lot.
Solved! Go to Solution.
02-10-2013 07:16 PM
Hi,
If you see traffic being encrypted by the VPN Client but no return traffic there might be some configuration that are missing on the ASA or destination host dont have a correct route to the VPN Client or something else.
To my understanding if you dont specify what to tunnel on the VPN Client connection then ALL will be tunneled from the client to the VPN endpoint.
If you want to specify what to forward to the VPN you use the "group-policy" configurations
group-policy VPN-GROUP-POLICY internal
group-policy VPN-GROUP-POLICY attributes
split-tunnel-policy tunnelall
OR
access-list SPLIT-TUNNEL standard permit
group-policy VPN-GROUP-POLICY internal
group-policy VPN-GROUP-POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
The "group-policy" is then attached under the "tunnel-group" configurations.
This would probably be easier to check when seing the configurations on the ASA. If you are simply testing connectivity with ICMP I suggest checking that you have "inspect icmp" configured so that ICMP Echo-reply messages are automatically allowed by the ASA.
- Jouni
02-10-2013 03:24 PM
Hi,
According to the attached configuraiton you have probably configured the VPN Client as "Full Tunnel"
This would mean that as soon as the host connect with the VPN Client all traffic is forwarded to the VPN connection. So in that case on the client side every destination address would be considered as "interesting traffic" for the VPN Client connection (though there might be some discarded traffic also I guess)
You can confirm if the VPN Client connection is configured as Full Tunnel by checking the Statistics section of the VPN Client and then finding the section for routes. It should only have line for "0.0.0.0 0.0.0.0" which in turn means that all networks are tunneled to the VPN connection.
Now if you wanted to only forward certain traffic to the VPN Client and rest out trough the local Internet connection of the host, you would configure "Split Tunnel" VPN.
But on to the problem. I suspect you might be missing the NAT0 / NAT Exempt configuration for the traffic to go through the firewall.
The very basic format for this configuration would be
access-list LAN-NAT0 permit ip
nat (inside) 0 access-list LAN-NAT0
Where
Can you confirm if you have the NAT0 configuration on your firewall?
I do agree that sometimes its really hard to find specific information on how to configure something. At the moment I'm personally managing well with the Configuration Guide and Command Reference. For some cases I simply Google for certain configurations but even then I have to know the correct terms to actually find the information.
But theres always the these forums to ask too
- Jouni
02-10-2013 07:00 PM
Jouni - I do have nat 0 configured for my inside interface and my dmz. I see the "encrypted" counter steadily increasing, but "decrypted" remains zero. That makes me think that no traffic is "interesting" on the ASA side - nothing is being sent to the client. Again, where is this interesting traffic configured? It is not mentioned in the documentation.
02-10-2013 07:16 PM
Hi,
If you see traffic being encrypted by the VPN Client but no return traffic there might be some configuration that are missing on the ASA or destination host dont have a correct route to the VPN Client or something else.
To my understanding if you dont specify what to tunnel on the VPN Client connection then ALL will be tunneled from the client to the VPN endpoint.
If you want to specify what to forward to the VPN you use the "group-policy" configurations
group-policy VPN-GROUP-POLICY internal
group-policy VPN-GROUP-POLICY attributes
split-tunnel-policy tunnelall
OR
access-list SPLIT-TUNNEL standard permit
group-policy VPN-GROUP-POLICY internal
group-policy VPN-GROUP-POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
The "group-policy" is then attached under the "tunnel-group" configurations.
This would probably be easier to check when seing the configurations on the ASA. If you are simply testing connectivity with ICMP I suggest checking that you have "inspect icmp" configured so that ICMP Echo-reply messages are automatically allowed by the ASA.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide