For me it worked without meeting house. Can you try enabling it on the physical interface and see, if it's working.
Before that on the Window's command prompt, type "net start" and see, if CTA is running. With regards Kings On Wed, Aug 10, 2011 at 8:20 PM, Louis van Zyl - Business Connexion < [email protected]> wrote: > Hi Kingsley > > Yes I did have a split-acl, I changed that now to tunnelall. But I’m seeing > the same. The packet capture on my VPN interface shows traffic from the ASA > to my VPN assigned IP on udp 21862 but the PC isn’t responding. > > Should the Meetinghouse client be enabled on 1. the VPN adapter, and 2. On > the LAN adapter? > > Louis > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* 10 August 2011 03:53 PM > *To:* Louis van Zyl - Business Connexion > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] NAC - ASA EZVPN client config > > > > I guess, you are using split acl. If yes, you need to tune the split acl to > allow a specific traffic from the client in order for the ASA to detect the > CTA. Else configure the ASA for full tunneling, you can see that NAC is > working. > > To confirm that run wireshark on the VPN interface of the client and you > can see that the client is replying to the NAC requests from ASA. Remember, > that you can run wireshark on the vpn interface only when the tunnel is up. > > The reason is with split tunneling, the client response to the NAC response > may be not going in the tunnel. You need to make it to go through tunnel. > > Mostly the split tunnel should have an extra ACE permitting traffic to ASA > outside interface on which you have enabled crypto map. > > > With regards > Kings > > On Wed, Aug 10, 2011 at 6:42 PM, Louis van Zyl - Business Connexion < > [email protected]> wrote: > > Hi > > I'm testing NAC over EZVPN on an ASA. > > My problem is that my XP client keeps on saying that it doesn't have the > CTA installed. I have read a few other threads about this as well but still > no luck. > > > > I've installed the ACS's cert in the root store on XP using ctacert.exe > > I've tried enabling the meetinghouse client on the VPN adapter, and also > with it disabled. > > I've tried with CTA without the 802.1x supplicant as well. > > My PRE_NAC ACL has permit ip any any > > My ASA's outside interface has permit any any > > > > Any further suggestions? > This e-mail and its contents are subject to the Business Connexion (Pty) > Ltd. E-mail legal notice > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > ------------------------------ > > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1392 / Virus Database: 1520/3824 - Release Date: 08/09/11 > This e-mail and its contents are subject to the Business Connexion (Pty) > Ltd. E-mail legal notice >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
