[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?

Michael K. Smith - Adhost mksmith at adhost.com
Fri Aug 7 17:40:21 EDT 2009 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Friday, August 07, 2009 1:47 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
> Cisco client andinside network?
> 
> Hi, I'm having difficulties configuring VPN tunnels between a PC with
> the
> Cisco VPN client (windows XP) and an ASA5520.
> 
> BACKGROUND
> 
> I have an ASA5520 with a public interface of 206.x.x.232 and an inside
> address of 10.18.14.6.  The outside interface is connected to the
> public
> internet directly, the inside interface is attached to a switch with
> layer 3
> capabilities and has an address of 10.18.14.1/24.  The default route
is
> pointed to the public Internet gateway and the 10.18.0.0/16 network is
> routed via the 10.18.14.1 inside address.  The VPN device is running
> version
> 7 software (according to the VPN client log file).
> 
> PROBLEM
> 
> 
>     When I initiate a connection from the PC to the public facing
> interface
> over an external network the session authenticates and reports
> connected,
> the client is assigned an address from the correct pool, but I'm not
> able to
> pass traffic.  Looking at the stats the routes learned appear
> (10.18.0.0/16)
> or what ever routes I added to the split-tunnel network list.  I do
> notice
> that the tunnel stats do not show the encrypted packet count
increasing
> so I
> assume I'm not tagging something correctly or the ASA is confused
about
> what
> to encrypt. I've been using the Cisco ASA configuration examples as a
> starting point but think I'm missing the point somewhere.  Any
pointers
> would be appreciated, config tidbits follow.
> 
> split-tunnel ACL

I would imagine having the /16 that encompasses the /24 of your inside
interface and your VPN pool is a "bad thing."  The /16 route is injected
into the tunnel, which encompasses your default gateway for the VPN.
But, you have forwarded all that traffic to the .1 address.  As a start,
I would get more specific on your subnets, since the 10.18.14.0/24 is
physically tied to the ASA.  Why not try more specifics like
10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps.

Regards,

Mike

More information about the cisco-nsp mailing list