Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6459
Views
0
Helpful
3
Replies

ASA don't encrypt interesting VPN traffic

Go to solution
m.scaranello
Level 1
Level 1

‎11-11-2010 07:03 AM

Hello everybody out there using ASA.

I had some VPN IPSEC tunnels between the company central site and remote sites.

Two dsl lines were connected to the ASA, one for VPN traffic and the other one for internet.

The default gateway was configured on internet line, while some statics routes assured that traffic toward company sites was sent trough the other line.

Some days ago we changed ASA configuration in order to use only one dsl connection, then the line that was used for internet was disconnected, while the other one became the default gateway and static routes were deleted.

From that moment VPN connections stopped working and when trying to send packet to remote lan, it seems like ASA don't recognise that traffic to be encrypted. Obviousely we checked cryptomap, acl, ecc, but we can't find any trouble.... do you have any suggestions?

Thanks in advance,

Matt

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

object network XNetwork
subnet 10.10.0.0 255.255.255.0

object network YNetwork
subnet 172.0.1.0 255.255.255.0


crypto map RB1ITSHDSL001_map2 1 match address RB1ITSHDSL001_1_cryptomap
crypto map RB1ITSHDSL001_map2 1 set peer a.b.c.186
crypto map RB1ITSHDSL001_map2 1 set transform-set ESP-3DES-SHA

access-list RB1ITSHDSL001_1_cryptomap extended permit ip object XNetwork object YNetwork

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-11-2010 07:58 AM

Hi,

From your output the ASA should be encrypting traffic between XNetwork and YNetwork.

If the ASA is not encrypting this traffic it could be because there's a problem with NAT configuration.

When the ASA receives a packet, it will first check if there are ACLs that allow the traffic, pass it through inspection engines and check the NAT associated to it. If for example the packet is being NATed, then the encryption from the private IP will never take place.

Could you make sure that the packets from the XNetwork are really reaching the ASA, that the NAT rule is correct and perhaps looking for ''debug cry isa 127'' and ''debug cry ips 127'' to check for mismatch errors.

Also, what is the state of the tunnel when trying to communicate: ''sh cry isa sa''

Federico.

View solution in original post

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7

‎11-11-2010 07:58 AM

can you post the full configuration?

Per your description, routing should be good, I think it might be NAT issue.

You probably added some NAT/Global command which would NAT the vpn traffic. If this is the case, you just need to add NAT 0 to exclude the vpn traffic from NAT.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-11-2010 07:58 AM

Hi,

From your output the ASA should be encrypting traffic between XNetwork and YNetwork.

If the ASA is not encrypting this traffic it could be because there's a problem with NAT configuration.

When the ASA receives a packet, it will first check if there are ACLs that allow the traffic, pass it through inspection engines and check the NAT associated to it. If for example the packet is being NATed, then the encryption from the private IP will never take place.

Could you make sure that the packets from the XNetwork are really reaching the ASA, that the NAT rule is correct and perhaps looking for ''debug cry isa 127'' and ''debug cry ips 127'' to check for mismatch errors.

Also, what is the state of the tunnel when trying to communicate: ''sh cry isa sa''

Federico.

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7

‎11-11-2010 07:58 AM

can you post the full configuration?

Per your description, routing should be good, I think it might be NAT issue.

You probably added some NAT/Global command which would NAT the vpn traffic. If this is the case, you just need to add NAT 0 to exclude the vpn traffic from NAT.

0 Helpful

Go to solution
m.scaranello
Level 1
Level 1

‎11-11-2010 10:08 AM

You both were right, the problem was in nat configuration.

The change of routing affected the nat rule control.

Now the route is unique and I found that in nat list the "internet nat" rule was listed first than the "vpn nat", so traffic was natted to the outside world rather than encrypted. Putting the "vpn nat" rule first resolved my problem.

Thank you very much, for your help!

Best regards,

Matt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents