Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Traffic between VPN Tunnels

I have a strange problem that I have been fighting.

Site A - internal network 172.31.16.0/24

Site B - Internal Network 172.31.17.0/24

Site C - Internal Network 10.0.0.0 /8

I have vpn tunnels connected from Site A to each site. Sites A & C can talk to each other. I cannot get the traffic from Site B to talk to Site C.

Attached is my config.

The VPN tunnels are up and working.

Any Ideas?

16 REPLIES

Re: Traffic between VPN Tunnels

Since you havent provided the complete configuration, I would suggest to compare your configuration with the following document and see whats missing:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Also incase default routes are not present, make sure both SiteB and SiteC have the appropriate 'route' statements for the remote side's LAN subnet.

Regards

Farrukh

Community Member

Re: Traffic between VPN Tunnels

Did you happen to sanitize the following command too?

same-security-traffic permit intra-interface

It would be helpful if you did not sanitize the OS version.

Re: Traffic between VPN Tunnels

The same-sec...command is there. Its the first thing I checked :)

Regards

Farrukh

Community Member

Re: Traffic between VPN Tunnels

The Main site is running ASA 5510 7.2(3) and the same-security-traffic permit intra-interface command is being utilized. Site C is a business partner, so I don't access to the config. Based on the troubleshooting so far, the problem is with Site A. Site A can talk to both B and C. It seems like the ASA in Site A is blocking the traffic from traversing the site. The routes are all in place at all 3 sites. The traffic is going to the right places, I just can't get through Site A.

Re: Traffic between VPN Tunnels

You can run the packet-tracer command on SiteA to verify the SiteB to SiteC traffic.

Regards

Farrukh

Community Member

Re: Traffic between VPN Tunnels

Your configuration should look like this:

On site A:

1) Crypto ACL For VPN A to B:

access-list 100 extended permit ip 172.31.16.0 255.255.255.0 172.31.17.0 255.255.255.0

access-list 100 extended permit ip 10.0.0.0 255.0.0.0 172.31.17.0 255.255.255.0

2) Crypto ACL For VPN A to C:

access-list 101 extended permit ip 172.31.16.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 101 extended permit ip 172.31.17.0 255.255.255.0 10.0.0.0 255.0.0.0

On Site B:

Crypto ACL for VPN to site A:

access-list 201 extended permit ip 172.31.17.0 255.255.255.0 172.31.16.0 255.255.255.0

access-list 201 extended permit ip 172.31.17.0 255.255.255.0 10.0.0.0 255.0.0.0

On Site C:

Crypto ACL for VPN to site A:

access-list 301 extended permit ip 10.0.0.0 255.0.0.0 172.31.16.0 255.255.255.0

access-list 301 extended permit ip 10.0.0.0 255.0.0.0 172.31.17.0 255.255.255.0

Community Member

Re: Traffic between VPN Tunnels

Also change the following :

crypto map outside_map 10 ipsec-isakmp dynamic dynmap

To:

crypto map outside_map 65000 ipsec-isakmp dynamic dynmap

Community Member

Re: Traffic between VPN Tunnels

Thanks for the detailed information. I verified the ACLs on the gear that I can. Waiting to hear back on the other site. It would not let me change the crytpo map from 10 to 65000. I am using 10 for the vpn clients. What was the reason for that change?

Community Member

Re: Traffic between VPN Tunnels

10 is the sequence number of the Crypto map and in this case for a Dynamic map. By design the dynamic maps should be given much higher sequence numbers than the static maps. I have seen that the Phase II of static L2L tunnels not working if the sequence number of the static map is greater than the dynamic map. It should be the other way round for things to work. You may have to delete the crypto map entry for dynamic map and then put it back with a higher sequence number.

Community Member

Re: Traffic between VPN Tunnels

I was able to move the crypto map to a higher number. Didn't solve the problem. I did run the packet-tracer. When I run it on the outside interface with an IP from both sites, I get notification that the packet was dropped, due to (IPSEC-Spoof) IPSEC Spoof detected. Any ideas why the traffic will not flow in and out of the outside interface between the 2 tunnels?

Cisco Employee

Re: Traffic between VPN Tunnels

Tom,

Can you post the outputs of "show crypto ipsec sa". Are you seeing packets encrypt and decrypt.

Based on the configuration from the initial post, I do not see 10.x.x.x to 172.31.17.0 in your NONAT statement.

That is:

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.31.17.0 255.255.255.0

Can you add this statement and let me know if it works.

Regards,

Arul

*Pls rate all helpful posts*

Community Member

Re: Traffic between VPN Tunnels

Arul,

I already had added the nonat statement. Attached is the "sh cry ipsec sa" The traffic that I am concrerned about is between 10.0.0.0 and 172.31.17.0 The traffic between 10.0.0.0 and 172.31.16.0 works.

Thanks,

Tom

Cisco Employee

Re: Traffic between VPN Tunnels

Tom,

Can you also post the current configurtion. The reason I ask is, I can see the packets from 17.x are getting enctyped for the 10.x.x.x but no decrypts.

Who owns the 10.x.x.x/8 network. Looks like the issue could be on the other side, where things are not configured correctly. Could be a routing issue, NAT, ACL, etc. But, the problem seems to be on the remote side because they are not encrypting the packets and sending back to you.

Thanks,

Arul

*Pls rate if it helps*

Community Member

Re: Traffic between VPN Tunnels

Arul,

A business partner owns the 10.0.0.0/8 network that the other site needs to access. They have assured me that the 172.31.0.0/16 network is allowed through their tunnel to our main site.

Thanks,

Tom

244
Views
5
Helpful
16
Replies
CreatePlease to create content