..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup - sh run nat-control. The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client? --- On Fri, 8/7/09, Scott Granados <gsgrana...@comcast.net> wrote:
From: Scott Granados <gsgrana...@comcast.net> Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: "Rob Gilreath" <rgilre...@hbs.net>, cisco-nsp@puck.nether.net Date: Friday, August 7, 2009, 2:51 PM I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" <rgilre...@hbs.net> To: <cisco-nsp@puck.nether.net> Cc: "Scott Granados" <gsgrana...@comcast.net> Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6. The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with layer >> 3 capabilities and has an address of 10.18.14.1/24. The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address. The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >> When I initiate a connection from the PC to the public facing interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic. Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list. I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the point >> somewhere. Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >> banner value This is a private network connection for XXX authorized users >> only. If you do not have explicit permission from the XXX Network Services >> department you must disconnect now. >> banner value Thank you, >> banner value Network Services >> banner value 415.xxx.xxxx >> wins-server value 10.18.1.14 10.18.1.15 >> dns-server value 10.18.1.14 10.18.1.15 >> dhcp-network-scope none >> vpn-access-hours none >> vpn-simultaneous-logins 1 >> vpn-idle-timeout 30 >> vpn-session-timeout none >> vpn-filter none >> vpn-tunnel-protocol IPSec >> password-storage disable >> ip-comp enable >> re-xauth disable >> group-lock none >> pfs disable >> ipsec-udp enable >> ipsec-udp-port 10000 >> split-tunnel-policy tunnelspecified >> split-tunnel-network-list value vpn-nets >> default-domain value MY-COMPANY.COM >> split-dns none >> secure-unit-authentication disable >> user-authentication enable >> user-authentication-idle-timeout 30 >> ip-phone-bypass disable >> leap-bypass disable >> nem disable >> backup-servers 206.x.x.233 >> client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >> functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >> address-pool VPRN-team-vpn-pool1 >> authentication-server-group my_authent_grp >> default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >> pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilre...@hbs.net > (920) 850-3018 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/