• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

Cisco Remote Client VPN - Cannot connect to resources

I have a user trying to access our central resources using a Cisco Remote VPN clinet.

The client is connecting to a PIX515E

The VPN connects succesfully and I can see the connection on the PIX, but the remote user cannot access the devices behind my PIX.

If I do a "sh crypto ipsec sa" I can see his connection listed but it shows only outbound traffic and nothing inbound. My other users on the same client to the same box are currently working with no problems.

Any ideas what the problem might be, or how I can further diagnose it ?


   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.254.1/255.255.255.255/0/0)
   current_peer: xx.xx.xx.xx:60243
   dynamic allocated peer ip: 192.168.254.1

     PERMIT, flags={}
    #pkts encaps: 67, #pkts encrypt: 67, #pkts digest 67
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: yy.yy.yy.yy, remote crypto endpt.: xx.xx.xx.xx
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 1b1501b9

     inbound esp sas:
      spi: 0x78734a2f(2020821551)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 54, crypto map: intamap
        sa timing: remaining key lifetime (k/sec): (4608000/27335)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x1b1501b9(454361529)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 53, crypto map: intamap
        sa timing: remaining key lifetime (k/sec): (4607997/27335)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:





0
ccfcfc
Asked:
ccfcfc
  • 2
1 Solution
 
ccfcfcAuthor Commented:
Additional info.....

I notice the following line in the above IPSec info.

current_peer: xx.xx.xx.xx:60243

On all of my other remote clients that are currently connected and working, this line is shown as using port 500. I'm guessing that may be part of the issue ?
0
 
ccfcfcAuthor Commented:
Sorted.

I didn't have Nat-traversal enabled.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now