Cisco VPN Client One Way Traffic

Curiosityx · 20 Jul 2008 at 17:42

Greetings, im having problems with Remote Access Connections to a Cisco ASA 5510 v8.0.3(19), i have setup the required connection profile, transform set, crypto map and split tunnel acl, specified traffic to be exempt from NAT and enabled NAT-T.

I can successfully establish a VPN connection and can ping the inside address of the firewall as have have set the inside address to allow management access but nothing within the internal subnet beyond the firewall.

Ive read several technotes on cisco that suggest NAT-T issues and not specifying protected traffic but cant seem to pinpoint an issue. I have also tried several version of the Cisco VPN Client and the ASA Code from v7.2 to 8.0.3

Any suggestions would be much appreciated.

Regards

Rich · 20 Jul 2008 at 17:53

I would start by enabling NAT-T.

You can also do a packet-trace command to see where things are going wrong.

For example:

packet-tracer input outside x.x.x.x (source address) 1025 (source port) x.x.x.x (destination address) 22 (destination port).

That should give you an 8 or so step breakdown of what is going wrong where.
Also make sure your internal hosts have a return route to your RAS pool.

Curiosityx · 20 Jul 2008 at 18:20

Cheers for the reply, i can confirm that i have enabled NAT-T prior testing and have it configured on the VPN Client.

Ill try the packet trace on a live VPN Connection and see if it's being block anywhere, the inside server im using for LDAP authentication is directly connected to the same network as the ASA inside interface so im fairly positive it can be routed too.

Could i ask which addresses you would use for source and destination address? Source Address "Inside Host" Destination Address "Remote VPN Peer Inside Address"?

Curiosityx · 20 Jul 2008 at 18:42

Humm interesting just enabled Proxy Arps on the inside interface and everything has fallen into place.

Rich · 20 Jul 2008 at 19:27

Cool. Always nice when things fall into place. Little odd that Proxy arps fixed it if you arent doing any natting on the inside though.... dont recall the ASA needing it for VPN....

Curiosityx · 20 Jul 2008 at 21:38

Rich said:
Cool. Always nice when things fall into place. Little odd that Proxy arps fixed it if you arent doing any natting on the inside though.... dont recall the ASA needing it for VPN....

Im confused myself but more than happy it's working.