[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?
Randy
randy_94108 at yahoo.com
Fri Aug 7 19:02:51 EDT 2009
..also keep in mind that your split-tunnel ACL can be extended if specified in the following format:
x.x.x.x mask y.y.y.y mask (your vpn pool)
10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0
--- On Fri, 8/7/09, Scott Granados <gsgranados at comcast.net> wrote:
From: Scott Granados <gsgranados at comcast.net>
Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?
To: "Michael K. Smith - Adhost" <mksmith at adhost.com>
Cc: cisco-nsp at puck.nether.net
Date: Friday, August 7, 2009, 3:03 PM
Hi Michael,
Wouldn't the more specific /24 come in to play instead of the much larger
/16? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is
directly connected I would have thought the /24 would win. I'll definitely
give this a try however.
Thanks
Scott
----- Original Message -----
From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Friday, August 07, 2009 2:40 PM
Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
Cisco client andinside network?
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Friday, August 07, 2009 1:47 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
> Cisco client andinside network?
>
> Hi, I'm having difficulties configuring VPN tunnels between a PC with
> the
> Cisco VPN client (windows XP) and an ASA5520.
>
> BACKGROUND
>
> I have an ASA5520 with a public interface of 206.x.x.232 and an inside
> address of 10.18.14.6. The outside interface is connected to the
> public
> internet directly, the inside interface is attached to a switch with
> layer 3
> capabilities and has an address of 10.18.14.1/24. The default route
is
> pointed to the public Internet gateway and the 10.18.0.0/16 network is
> routed via the 10.18.14.1 inside address. The VPN device is running
> version
> 7 software (according to the VPN client log file).
>
> PROBLEM
>
>
> When I initiate a connection from the PC to the public facing
> interface
> over an external network the session authenticates and reports
> connected,
> the client is assigned an address from the correct pool, but I'm not
> able to
> pass traffic. Looking at the stats the routes learned appear
> (10.18.0.0/16)
> or what ever routes I added to the split-tunnel network list. I do
> notice
> that the tunnel stats do not show the encrypted packet count
increasing
> so I
> assume I'm not tagging something correctly or the ASA is confused
about
> what
> to encrypt. I've been using the Cisco ASA configuration examples as a
> starting point but think I'm missing the point somewhere. Any
pointers
> would be appreciated, config tidbits follow.
>
> split-tunnel ACL
I would imagine having the /16 that encompasses the /24 of your inside
interface and your VPN pool is a "bad thing." The /16 route is injected
into the tunnel, which encompasses your default gateway for the VPN.
But, you have forwarded all that traffic to the .1 address. As a start,
I would get more specific on your subnets, since the 10.18.14.0/24 is
physically tied to the ASA. Why not try more specifics like
10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps.
Regards,
Mike
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list