cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1495
Views
0
Helpful
8
Replies

ASA to 1841 VPN Tunnel

ANDY LEWIS
Level 1
Level 1

Hello,

  I am trying to establish a site-to-site VPN tunnel between 2 offices. One office has a Cisco 1841 and the other a pair of ASA 5510's. I get the tunnel to establish without a problem. The problem is that the traffic going to the 1841 destined for the ASA will not encrypt for this particular tunnel. I get decaps on the session but no encaps. I have reconfigured the tunnel several times but keep getting the same result:

Interface: FastEthernet0/1
Session status: UP-ACTIVE    
Peer: 202.41.148.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 202.41.148.5
      Desc: (none)
  IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
          Capabilities:(none) connid:98 lifetime:23:45:02
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 17 drop 0 life (KB/Sec) 4569995/2704
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4569996/2704

Any suggestions would be greatly appreciated.

Andy

1 Accepted Solution

Accepted Solutions

Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process.  Please add the line below above the permit statement and then test again.

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

View solution in original post

8 Replies 8

Todd Pula
Level 7
Level 7

I would start by looking into your routing, NAT, and ACL configurations.  Is this router in the default routed path for the hosts that you are trying to reach via the tunnel?  If not, you may need to add static routes or configure RRI and a routing protocol in order to resolve.  If the return traffic is getting to the router, ensure that it is not being blocked by an input ACL.  Also make sure that the return traffic is being exempt from any NAT policies that you may have.

I copied the same config that I made for another tunnel that is working. This router serves as the DG for all machines. There are no inbound ACL's that would affect this traffic. I am even getting hits on the configured access-list that the traffic needs to match. When I run a trace from a machine, it hits the router and then goes outside without encrypting. When I run a trace from the same machine to another location, it encrypts and travels over the tunnel.

I don't even know what other debugs to run beside debug crypto ipsec and debug crypto isakmp that would help.

Can you post your configuration for me to review?

I attached the config.

Thanks,

Andy

Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process.  Please add the line below above the permit statement and then test again.

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

That was it!. What is confusing is that I don't see where that access-list is applied to.

Thanks for your help,

Andy

Your outbound NAT (PAT) configuration:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

Route-map SDM_RMAP_1 is associated with ACL100:

route-map SDM_RMAP_1 permit 1
match ip address 100

Traffic that is denied in ACL100 will be exempt from NAT while traffic that is permitted will be processed using PAT based on the overload keyword above.

Try this please !

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

Thanks

Manish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: