[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network?
Scott Granados
gsgranados at comcast.net
Sun Aug 9 18:58:15 EDT 2009
Hi, just to follow up on this. Thanks to everyone who responded this
solution worked.
I adjusted the routes as Mike and Randy and others suggested and things seem
to be working now.
Thanks to everyone for the help
Scott
----- Original Message -----
From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Friday, August 07, 2009 2:40 PM
Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
Cisco client andinside network?
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Friday, August 07, 2009 1:47 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between
> Cisco client andinside network?
>
> Hi, I'm having difficulties configuring VPN tunnels between a PC with
> the
> Cisco VPN client (windows XP) and an ASA5520.
>
> BACKGROUND
>
> I have an ASA5520 with a public interface of 206.x.x.232 and an inside
> address of 10.18.14.6. The outside interface is connected to the
> public
> internet directly, the inside interface is attached to a switch with
> layer 3
> capabilities and has an address of 10.18.14.1/24. The default route
is
> pointed to the public Internet gateway and the 10.18.0.0/16 network is
> routed via the 10.18.14.1 inside address. The VPN device is running
> version
> 7 software (according to the VPN client log file).
>
> PROBLEM
>
>
> When I initiate a connection from the PC to the public facing
> interface
> over an external network the session authenticates and reports
> connected,
> the client is assigned an address from the correct pool, but I'm not
> able to
> pass traffic. Looking at the stats the routes learned appear
> (10.18.0.0/16)
> or what ever routes I added to the split-tunnel network list. I do
> notice
> that the tunnel stats do not show the encrypted packet count
increasing
> so I
> assume I'm not tagging something correctly or the ASA is confused
about
> what
> to encrypt. I've been using the Cisco ASA configuration examples as a
> starting point but think I'm missing the point somewhere. Any
pointers
> would be appreciated, config tidbits follow.
>
> split-tunnel ACL
I would imagine having the /16 that encompasses the /24 of your inside
interface and your VPN pool is a "bad thing." The /16 route is injected
into the tunnel, which encompasses your default gateway for the VPN.
But, you have forwarded all that traffic to the .1 address. As a start,
I would get more specific on your subnets, since the 10.18.14.0/24 is
physically tied to the ASA. Why not try more specifics like
10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps.
Regards,
Mike
More information about the cisco-nsp
mailing list