cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1095
Views
0
Helpful
9
Replies

Traffic doesn't go through the VPN tunnel

straightforward
Level 1
Level 1

Hi Everyone,

I have 2 locations that have separate VPN tunnels to the client. There is also a tunnel between our locations (A & B):

- Location A has working tunnel to the client and eveything is fine there.

- Location B has tunnel created to the client, but traffic doesn't go through the tunnel. I have a confirmation from the client that they see my traffic but it comes accross as clear text. I duplicated the settings from the location A, but have now luck.

- The client wants to see the traffic as our otside IP which is confirmed to be working.

I would really apprecicate if you can point me into right direction.

Please see parts of the config file attached.

Thank you.

9 Replies 9

mvsheik123
Level 7
Level 7

Hi,

I guess thie config for Location B (192.168.56.0/24- EC network). if so the below statement need to be changed..

access-list Inside_nat0_outbound extended permit ip any EC-network 255.255.255.0

access-list Inside_nat0_outbound extended permit ip EC-network 255.255.255.0 any 

Thanks

MS

Hi MS,

Thank you for reply.

When I do the changes you suggested tunnel is not coming up. Any ideas?

(I reverted back for now).

Hello,

If traffic is originating from EC network, then "nat (Inside) 0 access-list Inside_nat0_outbound" statement ACL should have EC network as Source as I mentioned in my first reply. Now the VPN notcoming up will be another issue.. I do not see "Outside_map" ACL in your access-list. Correct that. Also, access-list Inside_access_in has permit ip any any.. so you really do not need that accesslist (Inside_access_in) at all.

Also make sure yur phase1 &2 seetings , network addresses list matches on the other end also.

hth

MS

I cleaned up and reposted my config.

I didn't insert this line because it kills my Internet on that site:

access-list Inside_nat0_outbound extended permit ip EC-network 255.255.255.0 any

I do have this line there:

access-list Outside_cryptomap extended permit ip EC-network 255.255.255.0 host 24.213.171.170

Is it what you referred to "outside_map"?

The more I think about it, it might be related to my current setup. The branch (B) doesn't have any servers. ASA at location B is set to use DNS servers from location A via tunnel?

Thank you for help.

Hi,

Try this..

no access-list Outside_cryptomap_60 extended permit ip host 71.87.1.82 host 24.213.173.170

access-list Outside_cryptomap_60 extended permit ip host 71.87.1.82 host 24.213.174.2

If you still have issues..the rivert back and try

no access-list Outside_cryptomap_60 extended permit ip host 71.87.1.82 host 24.213.173.170

access-list Outside_cryptomap_60 extended permit ip EC-network 255.255.255.0 192.168.55.0 255.255.255.0

your internet issues can be resolved by changing the below..

no nat (Inside) 50 EC-network 255.255.255.0 tcp 500 200

nat (Inside) 50 EC-network 255.255.255.0

(unless you need the ist statement)

Having DNS servers on other location will not be an issue  as long as the tunnel is up.. the DNS requests will pass thru.

Test with this and post the results. If I miss something lets wait to hear from experts.

Thx

MS

Sorry, but no luck. I tried all the options.

I'll try to do reboot over the weekend as suggested here: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#trftunpas

Thank you for your help.

(I reposted my current config version).

Post the current configurations for both end devices. This will help in resolving issue.

Thx

MS

I am affraid to post other site's config because it has a lot of

settings in there that I shouldn't be revealling. Sorry.

I thought about it over the weekend and I think I have to explain the problem better:

- VPN tunnel is setup the way that I have my traffic listed on outside interface as my outside ip. The normal way to do VPN is to have local subnet and inside interface. But, the client doesn't want to see my local subnet, he wants to see our outside ip.

So, in order to resolve my issue I need to encrypt any trafic (any to any). I'll try.

It ended up being a settings issue on both sides. All works now.

Thank you for help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: