[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?

Scott Granados gsgranados at comcast.net
Fri Aug 7 18:03:58 EDT 2009 

Hi Michael,

Wouldn't the more specific /24 come in to play instead of the much larger 
/16?  If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is 
directly connected I would have thought the /24 would win.  I'll definitely 
give this a try however.

Thanks
Scott


----- Original Message ----- 
From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Friday, August 07, 2009 2:40 PM
Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between 
Cisco client andinside network?




> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Friday, August 07, 2009 1:47 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
> Cisco client andinside network?
>
> Hi, I'm having difficulties configuring VPN tunnels between a PC with
> the
> Cisco VPN client (windows XP) and an ASA5520.
>
> BACKGROUND
>
> I have an ASA5520 with a public interface of 206.x.x.232 and an inside
> address of 10.18.14.6.  The outside interface is connected to the
> public
> internet directly, the inside interface is attached to a switch with
> layer 3
> capabilities and has an address of 10.18.14.1/24.  The default route
is
> pointed to the public Internet gateway and the 10.18.0.0/16 network is
> routed via the 10.18.14.1 inside address.  The VPN device is running
> version
> 7 software (according to the VPN client log file).
>
> PROBLEM
>
>
>     When I initiate a connection from the PC to the public facing
> interface
> over an external network the session authenticates and reports
> connected,
> the client is assigned an address from the correct pool, but I'm not
> able to
> pass traffic.  Looking at the stats the routes learned appear
> (10.18.0.0/16)
> or what ever routes I added to the split-tunnel network list.  I do
> notice
> that the tunnel stats do not show the encrypted packet count
increasing
> so I
> assume I'm not tagging something correctly or the ASA is confused
about
> what
> to encrypt. I've been using the Cisco ASA configuration examples as a
> starting point but think I'm missing the point somewhere.  Any
pointers
> would be appreciated, config tidbits follow.
>
> split-tunnel ACL

I would imagine having the /16 that encompasses the /24 of your inside
interface and your VPN pool is a "bad thing."  The /16 route is injected
into the tunnel, which encompasses your default gateway for the VPN.
But, you have forwarded all that traffic to the .1 address.  As a start,
I would get more specific on your subnets, since the 10.18.14.0/24 is
physically tied to the ASA.  Why not try more specifics like
10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps.

Regards,

Mike

More information about the cisco-nsp mailing list