[vpn-help] Shrew / ASA problem passing traffic after tunnel enabled

John Walker john at jsw4.net
Sun May 23 09:11:29 CDT 2010 

I have used the instructions here
(http://www.shrew.net/support/wiki/HowtoCiscoAsa) to connect the shrew
client to an ASA. I attempt to connect using the client and it appears
to connect to the VPN gateway. The Shrew client shows me these messages:

config loaded for site 'newmgmtvpn'
configuring client settings ...
     ...
bringing up tunnel ...
network device configured
tunnel enabled

However, I cannot access hosts inside the ASA as expected. From what I
can tell, it appears that traffic is not routing correctly to and from
the ASA via the tunnel. I think the problem is in the ASA configuration,
so I include the relevant portions (I think).

I hope someone can point out my error.

Thank you,
John

General:
Shrew Client : 2.1.5
OS: Windows 7
ASA 5505 : ASA 7.2(4)
Outside network : 192.168.99.0/24
Inside network : 192.168.33.0/24
VPNhostsubnet : (network-object) 192.167.66.0/24


access-list NAT0VPN extended permit ip object-group VPNhostsubnet any 
access-list JSW4MNGMNT_splitTunnelAcl standard permit any

ip local pool VPNhostpool 192.168.66.1-192.168.66.10 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list NAT0VPN
nat (inside) 1 192.168.33.0 255.255.255.0
nat (outside) 0 access-list NAT0VPN
static (inside,outside) ...
static (inside,outside) ...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  10

group-policy JSW4MNGMNT internal
group-policy JSW4MNGMNT attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value JSW4MNGMNT_splitTunnelAcl

username john password [removed] encrypted privilege 0
username john attributes
 vpn-group-policy JSW4MNGMNT

tunnel-group JSW4MNGMNT type ipsec-ra
tunnel-group JSW4MNGMNT general-attributes
 address-pool VPNhostpool
 default-group-policy JSW4MNGMNT
tunnel-group JSW4MNGMNT ipsec-attributes
 pre-shared-key *

More information about the vpn-help mailing list