Simulating with packet-tracer on dc fw interface outside FROM 10.0.0.1 to 10.31.1.0, it fails (first packet-tracer). But doing the same but on an internal interface of the dc fw it works, and consequently the ipsec phase 1 and phase 2 to the customer comes up.
I do have 'same-security-traffic permit intra-interface' configured.
Why is the same src and dst hosts/subnets failing when hairpinning. With debugging on ikev1 I can determine that the dc asa is not even trying to form tunnel with customer firewall.
Jouni is correct in that the ASA can not simulate an encrypted VPN packet comming in on the outside interface. this packet will be dropped as it will be seen as a spoofed packet.
So if you are going to test a VPN connection through the ASA using packet tracer you need to source from the internal network. If the tunnel is not already up the first packet tracer will fail because it is building the tunnel, the second packet tracer will pass successfully since the tunnel is now up due to the first trace.
-- Please remember to rate and select a correct answer
Please remember to rate and select a correct answer
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...