I have a problem with VPN access. I was wondering if anyone has had similar issues or any ideas they could throw out.
I will start with:
While studying for CCNA Security and practicing Site-to-Site VPNs, I think I ran into something similar. I have a cisco router on my LAN, and an ASA on my edge (NATing) to my ISP. In the lab setup I had another cisco router on the outside of the ASA instead of the ISP. After weeks of trial and error (and finally giving in and consulting a network engineer), I came to the conclusion that in order to establish the VPN between the two routers in this instance, you are going to have to make a phone call (or have access) to the owner of the ASA doing the NATing. I beat this to death for weeks because I wanted to know what would be the solution in a real-life application. I got the VPN to finally connect by creating a NAT statement on the ASA and continued studying....
Well, today I have what I think is a similar situation, but a NAT statement is not solving it. I am trying to connect with the company's choice of VPN from my house, with the above mentioned setup. The vpn works if I use my cell phone as a hotspot, it works at the job's wifi connection, so my configuration as far as the client is concerned works. This is not a site-to-site. I am using a client on a laptop, usually the client that comes native on Ubuntu or CentOS. Soooo, I toyed with the NAT statements and various ordering of the statements.
-The ISAKMP packets goes through fine in both directions and the tunnel gets formed.
-I can send data encrypted out of the laptop/ASA (tcpdump/capture satement)
-I can see data come back to the ASA in response (capture statement)
...but that's where it ends. I cant tell if the NAT is dropping it, or the ACLs are dropping it.
all I know is that return traffic is is not leaving the ASA towards the "inside".
I did eliminate the router and connect the laptop straight to the ASA.
It is kind of hard to just turn off a bunch of stuff because it is my actual live edge device for my home. I was convinced it had to be a problem with the NAT statements because of the aforementioned lab encounter. But I'm not so sure now since after "toying" with them, I got this far and hit a wall.
I think the VPN/remote device is the old cisco concentrator, (at least i was told it was old, if that helps)
any random ideas?