ASA to Concentrator L2L not receiving data back

Unanswered Question
Jun 7th, 2007
User Badges:

I have a new ASA 5520 running 7.2 that has a tunnel to a Concentrator 3030. The tunnel comes up fine, but I only see data being transmitted from the ASA and not received. The concentrator show both recieved and transmitted data. The data is originating from the ASA.


The topology is very simple for the ASA Internet -> ASA -> Private network.


The tunnel comes up right away and sends traffic, but doesn't even see it on the come back on the outside interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jaffer_sathik2010 Fri, 06/08/2007 - 02:16
User Badges:

Plz check if your ASA contains following command.

sysopt connection permit-ipsec.


If the problem still exists, post the config file of ASA if possible.


--Jaffer

ggilbert Fri, 06/08/2007 - 05:54
User Badges:
  • Cisco Employee,

As Jaffer said,


Check that and also make sure you have NAT exempt configured properly.


Thanks

Gilbert

bcon8ive32 Fri, 06/08/2007 - 11:57
User Badges:

Ok. I found my problem. Since I couldn't use my private IP's on the other side of the tunnel, I couldn't use NAT exempt.


I had to setup Static NAT's for my private IP's to a dedicate public IP. I then setup an ACL that used those public IPs as interesting traffic for the tunnel. I had the vendor change his interesting traffic from my outside interface to the new public IP's. Since the tunnel had to be bi-directional I had to setup a seperate public for each private, but I'm going to change that in the future to be a one-way initiated tunnel so that I can policy NAT the privates to one public.


Thanks for all your help.

bcon8ive32 Fri, 06/08/2007 - 10:16
User Badges:

I had to cut some of the config out, but here it is. I think the problem may be that I don't have the NAT'ing for it setup correctly.


I cannot exempt the traffic because it overlaps with the private network on the other side of the tunnel. So we removed the exempt rule and it sends the traffic through the tunnel, but I'm not seeing it come back. The other side sees the traffic come in and leave. I believe the private address is being PAT'd using the outside interface.



Attachment: 
acomiskey Fri, 06/08/2007 - 12:14
User Badges:
  • Green, 3000 points or more

So from your inside, you are attempting to hit 4.4.6.1 and 4.4.5.1? If so, the far end would also have to NOT nat exempt.


Not sure about this but you may want to add crypto isakmp nat-traversal. Also, are you running "no sysopt conn permit-vpn"?


bcon8ive32 Fri, 06/08/2007 - 12:39
User Badges:

Your assumption is correct. I found my problem and documented it to another reply.


Basically what I had done was removed the NAT exempt because the other side can only tunnel with Public IP's.


What I didn't do was create a Static NAT for my private IP's. So I created two Static NAT's for the two private IP's that need to use the tunnel. I then changed my interesting traffic to the two Pulic IP's in the NAT statements. The other side then had to change it's interesting traffic to my new Public IP's and it started working.


Since the tunnel needs to be bi-directional I am currently stuck with adding a Static NAT for each device that needs to use the tunnel. I'm looking into fixing the app so that it can be a one-way tunnel and I an policy NAT multiple private IP's to one Public IP. Not sure if this will ever happen.


Thanks for the help.

acomiskey Fri, 06/08/2007 - 12:48
User Badges:
  • Green, 3000 points or more

Good to know, I wonder why it didn't work with PAT?

Actions

This Discussion