Solved: Re: VPN doesn't pass traffic

mikeysee2868 · ‎10-25-2006

I have set up a remote access VPN between a Cisco ASA 5510 and a remote access client. The VPN successfully connects, but no network traffic is able to be passed. I have attached my configuration. Any help would be greatly appreciated.

ajagadee · ‎10-30-2006

Mike,

Glad to know that your issue is resolved.

If you dont mind, could you update the Forum saying that the answers provided resolved your issue, so others can benefit by looking at the answers.

Thanks,

Arul

View solution in original post

ajagadee · ‎10-25-2006

Mike,

Your access-list for Inside_nat0_outbound, should be

access-list Inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0

Let me know if it helps.

Regards,

Arul

mikeysee2868 · ‎10-25-2006

Thanks for the reply Arul,

I made that change, but the symptom remains the same, VPN connects but no traffic. Any other ideas?

Mike

ajagadee · ‎10-25-2006

Mike,

What is the IP Address that you are trying to access after establishing the tunnel.

Also, did you do a clear xlate after changing the nat 0 access-list. If you are still having issues, could you post the output of "show crypto ipsec sa" once the tunnel is established and you try to access the internal hosts.

Regards,

Arul

mikeysee2868 · ‎10-26-2006

I have tried to access 172.16.1.2 via ping, 172.16.1.51\cdrive, a shared resource. I have also tried to access the same resources using the 10.0.0.0 ip scheme. No luck. I did do a clear xlate after changing the access-list. I have attached the output for "show crypto ipsec sa" after attempting to access the hosts. (I have x'ed the public ips).

ajagadee · ‎10-26-2006

Mike,

Looking at the IPSEC SA, the IPSEC packets are not even making it to the ASA.

What is the internet gateway @ the location from where you are doing this testing and is your PC IP Address getting a Static Public IP Address when traffic is destined to the internet or is it Port Address Translated.

And also, what option are you using to connect to the VPN Server. Is it IPSEC, IPSEC Over UDP or IPSEC Over TCP.

If you are using IPSEC, then UDP Port 500 and Protocol 50 (ESP) are used to build the tunnel and encrypt the packets. So, if your office is set up for PATing your IP, then this set up will not work. Since Port Address Translation does not understand Protocol and your IPSEC packets will get dropped at the PATing Device.

Also, look at the statistics under VPN Client and see if the packets are getting encrypted. If you see encrypted packets counters getting increased, then you know that the encrypted packets are leaving the PC but getting dropped somewhere in between the VPN Client and ASA.

I hope it helps.

Regards,

Arul

mikeysee2868 · ‎10-30-2006

Arul,

Thanks for the info. You are correct. The issue was that I was PATing my IP and therefore needed to add one more command to my configuration as follows:

isakmp nat-traversal 20

This is now allowing the traffic to pass over the PAT.

Thanks for all the help.

Mike

ajagadee · ‎10-30-2006

Mike,

Glad to know that your issue is resolved.

If you dont mind, could you update the Forum saying that the answers provided resolved your issue, so others can benefit by looking at the answers.

Thanks,

Arul

dean.x.murray · ‎10-26-2006

I've been looking at ASA Dialup VPNs for over a week now, used Netscreens before - much nicer.

What messages are you getting in the ASDM log?

These are usually a good place to start.

Dean