[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?

Scott Granados gsgranados at comcast.net
Fri Aug 7 19:13:33 EDT 2009 

I'm thinking this might be it.  I'm probably doing bad things with the connected pool.

Thanks for the pointers.

  ----- Original Message ----- 
  From: Randy 
  To: Michael K. Smith - Adhost ; Scott Granados 
  Cc: cisco-nsp at puck.nether.net 
  Sent: Friday, August 07, 2009 4:02 PM
  Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?


        ..also keep in mind that your split-tunnel ACL can be extended if specified in the following format:

        x.x.x.x mask  y.y.y.y mask (your vpn pool)
        10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0

        --- On Fri, 8/7/09, Scott Granados <gsgranados at comcast.net> wrote:


          From: Scott Granados <gsgranados at comcast.net>
          Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?
          To: "Michael K. Smith - Adhost" <mksmith at adhost.com>
          Cc: cisco-nsp at puck.nether.net
          Date: Friday, August 7, 2009, 3:03 PM


          Hi Michael,

          Wouldn't the more specific /24 come in to play instead of the much larger 
          /16?  If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is 
          directly connected I would have thought the /24 would win.  I'll definitely 
          give this a try however.

          Thanks
          Scott


          ----- Original Message ----- 
          From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
          To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
          Sent: Friday, August 07, 2009 2:40 PM
          Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between 
          Cisco client andinside network?




          > -----Original Message-----
          > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
          > bounces at puck.nether.net] On Behalf Of Scott Granados
          > Sent: Friday, August 07, 2009 1:47 PM
          > To: cisco-nsp at puck.nether.net
          > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
          > Cisco client andinside network?
          >
          > Hi, I'm having difficulties configuring VPN tunnels between a PC with
          > the
          > Cisco VPN client (windows XP) and an ASA5520.
          >
          > BACKGROUND
          >
          > I have an ASA5520 with a public interface of 206.x.x.232 and an inside
          > address of 10.18.14.6.  The outside interface is connected to the
          > public
          > internet directly, the inside interface is attached to a switch with
          > layer 3
          > capabilities and has an address of 10.18.14.1/24.  The default route
          is
          > pointed to the public Internet gateway and the 10.18.0.0/16 network is
          > routed via the 10.18.14.1 inside address.  The VPN device is running
          > version
          > 7 software (according to the VPN client log file).
          >
          > PROBLEM
          >
          >
          >     When I initiate a connection from the PC to the public facing
          > interface
          > over an external network the session authenticates and reports
          > connected,
          > the client is assigned an address from the correct pool, but I'm not
          > able to
          > pass traffic.  Looking at the stats the routes learned appear
          > (10.18.0.0/16)
          > or what ever routes I added to the split-tunnel network list.  I do
          > notice
          > that the tunnel stats do not show the encrypted packet count
          increasing
          > so I
          > assume I'm not tagging something correctly or the ASA is confused
          about
          > what
          > to encrypt. I've been using the Cisco ASA configuration examples as a
          > starting point but think I'm missing the point somewhere.  Any
          pointers
          > would be appreciated, config tidbits follow.
          >
          > split-tunnel ACL

          I would imagine having the /16 that encompasses the /24 of your inside
          interface and your VPN pool is a "bad thing."  The /16 route is injected
          into the tunnel, which encompasses your default gateway for the VPN.
          But, you have forwarded all that traffic to the .1 address.  As a start,
          I would get more specific on your subnets, since the 10.18.14.0/24 is
          physically tied to the ASA.  Why not try more specifics like
          10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps.

          Regards,

          Mike 

          _______________________________________________
          cisco-nsp mailing list  cisco-nsp at puck.nether.net
          https://puck.nether.net/mailman/listinfo/cisco-nsp
          archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list