I'm thinking this might be it. I'm probably doing bad things with the connected pool.
Thanks for the pointers. ----- Original Message ----- From: Randy To: Michael K. Smith - Adhost ; Scott Granados Cc: cisco-nsp@puck.nether.net Sent: Friday, August 07, 2009 4:02 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? ..also keep in mind that your split-tunnel ACL can be extended if specified in the following format: x.x.x.x mask y.y.y.y mask (your vpn pool) 10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0 --- On Fri, 8/7/09, Scott Granados <gsgrana...@comcast.net> wrote: From: Scott Granados <gsgrana...@comcast.net> Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? To: "Michael K. Smith - Adhost" <mksm...@adhost.com> Cc: cisco-nsp@puck.nether.net Date: Friday, August 7, 2009, 3:03 PM Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win. I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" <mksm...@adhost.com> To: "Scott Granados" <gsgrana...@comcast.net>; <cisco-nsp@puck.nether.net> Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- > boun...@puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/