Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
8
Replies

VPN client through ASA

tolinrome tolinrome
Level 1
Level 1

‎03-22-2016 10:51 AM

I have a client that needs to establish a VPN client connection using ipsec to their corporate firewall, they are behind my ASA firewall which uses dynamic pat. The tunnel forms but no traffic passes. I've tried the following with no improvement:

Enabling ipsec pass through.

policy-map global_policy
           class inspection_default
            inspect ipsec-pass-thru

Enabling nat-t

crypto isakmp nat-traversal 20

Allowing udp4500 and isakmp udp500 and esp50, ah51 from inside to outside.

Nothing worked. Any other ideas as to why they cannot pass traffic through the tunnel although the tunnel connects?

Thanks.

Labels:
0 Helpful
8 Replies 8

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-22-2016 11:10 AM

Hi,

Do we have a site to site between the local ASA and the corporate FW as well ?

If yes we cannot have both VPN client and the site to site up at the same time.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

tolinrome tolinrome
Level 1
Level 1
In response to Aditya Ganjoo

‎03-22-2016 11:13 AM

No, we do not. We have nothing connected to the 3rd party firewall that the client is trying to pass traffic through.

client--->local ASA--->Internet--->3rd party ASA

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to tolinrome tolinrome

‎03-22-2016 11:15 AM

Hi,

Does the phase 2 even come up ?

What is the output of show cry ipsec sa peer <remote peer> ?

If no then try to enable debug crypto ipsec 200 and share the output.

Regards,

Aditya

0 Helpful

tolinrome tolinrome
Level 1
Level 1
In response to Aditya Ganjoo

‎03-22-2016 11:20 AM

no phase two and nothing in the logs.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to tolinrome tolinrome

‎03-22-2016 11:23 AM

Hi,

Do you see the VPN client connected ?

What is the output of show vpn-sessiondb ra-ikev1-ipsec

Regards,

Aditya

0 Helpful

tolinrome tolinrome
Level 1
Level 1
In response to Aditya Ganjoo

‎03-22-2016 11:43 AM

Thanks Aditya, but I have no control over the remote firewall and the user is not connecting to my firewall. My firewall is just being used for their internet connection.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to tolinrome tolinrome

‎03-22-2016 11:49 AM

Hi,

Thanks for the update but we need phase 2 logs to determine the reason for this failure.

Since you have allowed ESP and also enabled ipsec passthrough on the ASA I do not think we do not anything else apart from these.

Debugs from the remote ASA would be helpful though. :)

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Karsten Iwen
VIP
VIP

‎03-26-2016 03:22 AM

Your whole responsibility is to open UDP/500 and UDP/4500 outbound (you don't need to open IP/50, IP/51). There's nothing more that you can do or have to do.

Your client needs to have NAT-T enabled on his client and on his corporate firewall.

0 Helpful
Customers Also Viewed These Support Documents