Traffic doesn't go through the VPN tunnel

Unanswered Question
Sep 24th, 2010

Hi Everyone,


I have 2 locations that have separate VPN tunnels to the client. There is also a tunnel between our locations (A & B):

- Location A has working tunnel to the client and eveything is fine there.


- Location B has tunnel created to the client, but traffic doesn't go through the tunnel. I have a confirmation from the client that they see my traffic but it comes accross as clear text. I duplicated the settings from the location A, but have now luck.


- The client wants to see the traffic as our otside IP which is confirmed to be working.


I would really apprecicate if you can point me into right direction.


Please see parts of the config file attached.


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Fri, 09/24/2010 - 10:46

Hi,


I guess thie config for Location B (192.168.56.0/24- EC network). if so the below statement need to be changed..


access-list Inside_nat0_outbound extended permit ip any EC-network 255.255.255.0


access-list Inside_nat0_outbound extended permit ip EC-network 255.255.255.0 any 



Thanks

MS

straightforward Fri, 09/24/2010 - 10:54

Hi MS,


Thank you for reply.


When I do the changes you suggested tunnel is not coming up. Any ideas?


(I reverted back for now).

mvsheik123 Fri, 09/24/2010 - 11:11

Hello,


If traffic is originating from EC network, then "nat (Inside) 0 access-list Inside_nat0_outbound" statement ACL should have EC network as Source as I mentioned in my first reply. Now the VPN notcoming up will be another issue.. I do not see "Outside_map" ACL in your access-list. Correct that. Also, access-list Inside_access_in has permit ip any any.. so you really do not need that accesslist (Inside_access_in) at all.


Also make sure yur phase1 &2 seetings , network addresses list matches on the other end also.


hth

MS

straightforward Fri, 09/24/2010 - 12:42

I cleaned up and reposted my config.


I didn't insert this line because it kills my Internet on that site:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

access-list Inside_nat0_outbound extended permit ip EC-network 255.255.255.0 any



I do have this line there:


access-list Outside_cryptomap extended permit ip EC-network 255.255.255.0 host 24.213.171.170


Is it what you referred to "outside_map"?


The more I think about it, it might be related to my current setup. The branch (B) doesn't have any servers. ASA at location B is set to use DNS servers from location A via tunnel?


Thank you for help.

mvsheik123 Fri, 09/24/2010 - 13:26

Hi,


Try this..


no access-list Outside_cryptomap_60 extended permit ip host 71.87.1.82 host 24.213.173.170

access-list Outside_cryptomap_60 extended permit ip host 71.87.1.82 host 24.213.174.2


If you still have issues..the rivert back and try


no access-list Outside_cryptomap_60 extended permit ip host 71.87.1.82 host 24.213.173.170

access-list Outside_cryptomap_60 extended permit ip EC-network 255.255.255.0 192.168.55.0 255.255.255.0


your internet issues can be resolved by changing the below..


no nat (Inside) 50 EC-network 255.255.255.0 tcp 500 200

nat (Inside) 50 EC-network 255.255.255.0

(unless you need the ist statement)


Having DNS servers on other location will not be an issue  as long as the tunnel is up.. the DNS requests will pass thru.


Test with this and post the results. If I miss something lets wait to hear from experts.


Thx

MS

mvsheik123 Fri, 09/24/2010 - 14:52

Post the current configurations for both end devices. This will help in resolving issue.


Thx

MS

straightforward Mon, 09/27/2010 - 08:00

I am affraid to post other site's config because it has a lot of

settings in there that I shouldn't be revealling. Sorry.


I thought about it over the weekend and I think I have to explain the problem better:

- VPN tunnel is setup the way that I have my traffic listed on outside interface as my outside ip. The normal way to do VPN is to have local subnet and inside interface. But, the client doesn't want to see my local subnet, he wants to see our outside ip.


So, in order to resolve my issue I need to encrypt any trafic (any to any). I'll try.

straightforward Fri, 10/01/2010 - 11:30

It ended up being a settings issue on both sides. All works now.


Thank you for help.

Actions

This Discussion

Related Content