Search this Blog

Friday, November 13, 2009

Remote Access VPN to ASA 5510 not passing traffic

We have a cisco client remote accessing into a 5510. Authentication works fine, secured routes info show correctly in my client, client reports that traffic is being encrypted, but I can't access any of the resources over the tunnel. But an output of a #sh crypto ipsec sa peer x.x.x.x command shows traffic is not being passed. Our l2l configuration works fine.

You are trying to pass some traffic to some internal networks that are not in your nat exemption acls (no-nat-inside, no-nat-dmz). Make sure in those no-nat acls you permit from the "inside" to the VPN client pool.

Other common causes:
-your internal routers may not have a route towards the ASA for the VPN client pool
-access-lists applied to the interfaces (show run access-group) may not permit the traffic from the "inside" network to the VPN clients
-Configure split-dns under the group-policy for your internal domain names

Cisco by default does not allow nat-t over udp. Adding the ipsec-udp enable under your group policy fixed my issue.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

5 comments :

  1. Drake Says,

    Actually I was not faced in such problem yet but I've noted your direction if I will face in such problem in future then this direction of solving the problem will help me. Thanks

    ReplyDelete
  2. The VPN services with dynamic shared IP is great way to navigate through the World Wide Web. There are enormous benefits and you can enjoy all that with the opening of various VPN providers to choose from. surfeasy premium discount

    ReplyDelete
  3. Moreover, most of the service providers do not track the activity of premium account members while they generally keep a log of free members. This comes in very handy if you are working with critical information and don't want anyone to have access to it.the best vpn for travel

    ReplyDelete
  4. This compares to extra components that might be or may not be required for your framework.VPN service

    ReplyDelete
  5. Any individual who views themselves as a smart PC client may never utilize the web without having a firewall and also an antivirus that is refreshed. blog

    ReplyDelete

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */