Issue with Cisco ASA 5515-X VPN Connection

Question

I had an existing setup with a 5515-X serving as my firewall and VPN, which worked fine. Since moving to a new location, and thus a new outside interface IP, I can successfully connect to the VPN, but nothing is visible to the VPN client (i.e., cannot reach anything inside the network). I suspected that UDP 500 might be blocked, but the ISP insists that it is not. (The ISP is managing a Cisco 3900 to bring internet in.) There are no appliances between the 3900 and the ASA. I should just be able to change the outside interface's address, and it should plug and play.

Any ideas why the setup is not working?

EDIT: I can now reach the inside interface of the ASA via Telnet, and I can connect to it, but I cannot see anything else on the network. The VPN allocates me an IP address, and I stay connected. Something is amiss with the VPN configuration, even though nothing has changed with it (except the outside IP address).

Answer 1

You need UDP 500 and 4500 available to your Cisco ASA.

If you have ASDM access, you can check the logging of your connection while attempting a VPN. But this is a case of troubleshooting that the ISP should be involved in. Please also be sure that the network you're connection from allows the VPN connection.

• Try from a different location.
• Work closer with the ISP support and get them to contribute their logs.
• Verify that your ASA setup and NAT rules are still appropriate following your move.

Answer 2

Solution Found:

For some reason, we found that there were no NAT rules configured for the VPN ACL. I added the following to the config:

nat (inside,outside) 1 source static SPLIT-ACL-VPN SPLIT-ACL-VPN destination static
NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

We can now access the network resources as expected.