[cisco-voip] VPN Connects to destination network, but can't ping, telnet, or connect to servers...

Linsemier, Matthew MLinsemier at apcapital.com
Tue Aug 28 09:03:25 EDT 2007 

Johnathan,

A few things you should check.  

* Make sure that the target network does not overlap your own.  If it
does you will have to implement NAT-T to resolve the issue.
* Check to see if you are connecting using IPSec or IPSec tunneled over
UDP (port 4500).  If you are trying to use pure IPSec behind a firewall,
you may need to configure a fixup or map a static address to your
machine for a one to one translation.
* Use the following ACL as a reference of what to let back in trough the
ASA.  Most likely you will only need to allow GRE, ESP, ISAKMP, and
non500-ISAKMP (UDP 4500).  

   access-list 101 permit gre any host x.x.x.x
   access-list 101 permit ahp any host x.x.x.x
   access-list 101 permit esp any host x.x.x.x
   access-list 101 permit udp any host x.x.x.x eq isakmp
   access-list 101 permit udp any host x.x.x.x eq non500-isakmp
   access-list 101 permit udp any host x.x.x.x eq 10000

In the past when I have had similar issues, it seems that opening
GRE/ESP fixed my problems.  You could enable all of them in your ASA and
then connect over VPN, and then eliminate them one at a time until you
know which resolves your problem.  You can also review the ACL hit count
to see which ones are not being used and remove them as well.  Hope this
helps.

Matt

-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jonathan
Charles
Sent: Tuesday, August 28, 2007 1:29 AM
To: cisco voip list
Subject: [cisco-voip] VPN Connects to destination network, but can't
ping,telnet, or connect to servers...

So, I have a customer I support, I can VPN into their network (Cisco
VPN client, Cisco 3030 VPN Concentrator), but once I connect, I can't
do anything, can't telnet, can't ping, can't connect to shares,
nothing...

However, if I bypass my firewall (ASA 5520), and connect directly to
the internet, I can VPN in and everything works...

I have noticed this a bunch of times, with a lot of customers.

Why does this happen?




Jonathan
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may
be protected by one or more legal privileges. It is intended
solely for the use of the addressee identified above. If you
are not the intended recipient, any use, disclosure, copying
or distribution of this communication is UNAUTHORIZED. Neither
this information block, the typed name of the sender, nor
anything else in this message is intended to constitute an
electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete
this communication from your computer. Thank you.

More information about the cisco-voip mailing list