CISCO VPN connection problem

---

I have a problem with VPN access. I was wondering if anyone has had similar issues or any ideas they could throw out.

I will start with:
While studying for CCNA Security and practicing Site-to-Site VPNs, I think I ran into something similar. I have a cisco router on my LAN, and an ASA on my edge (NATing) to my ISP. In the lab setup I had another cisco router on the outside of the ASA instead of the ISP. After weeks of trial and error (and finally giving in and consulting a network engineer), I came to the conclusion that in order to establish the VPN between the two routers in this instance, you are going to have to make a phone call (or have access) to the owner of the ASA doing the NATing. I beat this to death for weeks because I wanted to know what would be the solution in a real-life application. I got the VPN to finally connect by creating a NAT statement on the ASA and continued studying....

Well, today I have what I think is a similar situation, but a NAT statement is not solving it. I am trying to connect with the company's choice of VPN from my house, with the above mentioned setup. The vpn works if I use my cell phone as a hotspot, it works at the job's wifi connection, so my configuration as far as the client is concerned works. This is not a site-to-site. I am using a client on a laptop, usually the client that comes native on Ubuntu or CentOS. Soooo, I toyed with the NAT statements and various ordering of the statements.

-The ISAKMP packets goes through fine in both directions and the tunnel gets formed.
-I can send data encrypted out of the laptop/ASA (tcpdump/capture satement)
-I can see data come back to the ASA in response (capture statement)
...but that's where it ends. I cant tell if the NAT is dropping it, or the ACLs are dropping it.
all I know is that return traffic is is not leaving the ASA towards the "inside".
I did eliminate the router and connect the laptop straight to the ASA.
It is kind of hard to just turn off a bunch of stuff because it is my actual live edge device for my home. I was convinced it had to be a problem with the NAT statements because of the aforementioned lab encounter. But I'm not so sure now since after "toying" with them, I got this far and hit a wall.

I think the VPN/remote device is the old cisco concentrator, (at least i was told it was old, if that helps)

any random ideas?

@WU-TANG

What is the VPN client that you're using and version? Also what is the VPN concentrator and model of concentrator?

I would begin there to see if there may be an issue of sort. I would also test with a known working client and compare that to what may be different in the client configurations too.

@Ronnie-Wong I wasn't clear.... I can connect successfully using the SAME laptop when I connect through my cell phone's hot spot or when I use the SAME laptop at my job's open wi-fi. So I have to believe it is my ASA.

But I have no idea about the info of the concentrator... that office is not local... And I am guessing that I would have a hard time trying to get that info...
I wish I did because then I could mimic that with the lab setup and look at the debug. That's what is stifling me, I can't run any debug on the cisco equipment because the data is only traversing it.
The VPN is client is the native VPN client in Ubuntu (and/or CentOS).

@WU-TANG,

So if testing from your end.

If the ASA is connecting to the VPN concentrator. Use the packet trace utility in the ASDM to confirm that NAT is what is dropping it or not. It should help you to isolate the issue.

I reread that you have (correct me if I'm wrong): LAN--->Router---->ASA---->Outside in the path to the VPN concentrator. Can you simply plug the laptop in place of the router just for testing? To verify it's not the router that may be causing the issue? just as test.

wow, i can't believe this was november... never got a breath to re-engage.
it wasn't the router.. as I was able to watch the ASA traffic on every interface with the capture command... it would only make it back to the outside and get dropped... I just couldn't figure out why or how to configure the NAT statements to allow it, in conjunction with the existing NAT statements...

Either way, it doesn't matter.. we just switched to a different cisco device and we are using an SSL client now...

I will considered this solved by default...
...how do you mark something as solved??? I don't see any such function????

@WU-TANG said in CISCO VPN connection problem:

I will considered this solved by default...
...how do you mark something as solved??? I don't see any such function????

You didn't post this as a question to be solved so no need to mark it solved. But if you do in the future. just click on the topic tools button!