Cisco VPN Client One Way Traffic

Soldato
Joined
17 Oct 2002
Posts
3,941
Location
West Midlands
Greetings, im having problems with Remote Access Connections to a Cisco ASA 5510 v8.0.3(19), i have setup the required connection profile, transform set, crypto map and split tunnel acl, specified traffic to be exempt from NAT and enabled NAT-T.

I can successfully establish a VPN connection and can ping the inside address of the firewall as have have set the inside address to allow management access but nothing within the internal subnet beyond the firewall.

Ive read several technotes on cisco that suggest NAT-T issues and not specifying protected traffic but cant seem to pinpoint an issue. I have also tried several version of the Cisco VPN Client and the ASA Code from v7.2 to 8.0.3

Any suggestions would be much appreciated.

Regards
 
Last edited:
I would start by enabling NAT-T.

You can also do a packet-trace command to see where things are going wrong.

For example:

packet-tracer input outside x.x.x.x (source address) 1025 (source port) x.x.x.x (destination address) 22 (destination port).

That should give you an 8 or so step breakdown of what is going wrong where.
Also make sure your internal hosts have a return route to your RAS pool.
 
Cheers for the reply, i can confirm that i have enabled NAT-T prior testing and have it configured on the VPN Client.

Ill try the packet trace on a live VPN Connection and see if it's being block anywhere, the inside server im using for LDAP authentication is directly connected to the same network as the ASA inside interface so im fairly positive it can be routed too.

Could i ask which addresses you would use for source and destination address? Source Address "Inside Host" Destination Address "Remote VPN Peer Inside Address"?
 
Last edited:
Cool. Always nice when things fall into place. Little odd that Proxy arps fixed it if you arent doing any natting on the inside though.... dont recall the ASA needing it for VPN....
 
Back
Top Bottom