Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to 1841 VPN Tunnel

Hello,

  I am trying to establish a site-to-site VPN tunnel between 2 offices. One office has a Cisco 1841 and the other a pair of ASA 5510's. I get the tunnel to establish without a problem. The problem is that the traffic going to the 1841 destined for the ASA will not encrypt for this particular tunnel. I get decaps on the session but no encaps. I have reconfigured the tunnel several times but keep getting the same result:

Interface: FastEthernet0/1
Session status: UP-ACTIVE    
Peer: 202.41.148.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 202.41.148.5
      Desc: (none)
  IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
          Capabilities:(none) connid:98 lifetime:23:45:02
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 17 drop 0 life (KB/Sec) 4569995/2704
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4569996/2704

Any suggestions would be greatly appreciated.

Andy

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA to 1841 VPN Tunnel

Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process.  Please add the line below above the permit statement and then test again.

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

8 REPLIES

Re: ASA to 1841 VPN Tunnel

I would start by looking into your routing, NAT, and ACL configurations.  Is this router in the default routed path for the hosts that you are trying to reach via the tunnel?  If not, you may need to add static routes or configure RRI and a routing protocol in order to resolve.  If the return traffic is getting to the router, ensure that it is not being blocked by an input ACL.  Also make sure that the return traffic is being exempt from any NAT policies that you may have.

New Member

Re: ASA to 1841 VPN Tunnel

I copied the same config that I made for another tunnel that is working. This router serves as the DG for all machines. There are no inbound ACL's that would affect this traffic. I am even getting hits on the configured access-list that the traffic needs to match. When I run a trace from a machine, it hits the router and then goes outside without encrypting. When I run a trace from the same machine to another location, it encrypts and travels over the tunnel.

I don't even know what other debugs to run beside debug crypto ipsec and debug crypto isakmp that would help.

Re: ASA to 1841 VPN Tunnel

Can you post your configuration for me to review?

New Member

Re: ASA to 1841 VPN Tunnel

I attached the config.

Thanks,

Andy

Re: ASA to 1841 VPN Tunnel

Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process.  Please add the line below above the permit statement and then test again.

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

New Member

Re: ASA to 1841 VPN Tunnel

That was it!. What is confusing is that I don't see where that access-list is applied to.

Thanks for your help,

Andy

Re: ASA to 1841 VPN Tunnel

Your outbound NAT (PAT) configuration:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

Route-map SDM_RMAP_1 is associated with ACL100:

route-map SDM_RMAP_1 permit 1
match ip address 100

Traffic that is denied in ACL100 will be exempt from NAT while traffic that is permitted will be processed using PAT based on the overload keyword above.

Re: ASA to 1841 VPN Tunnel

Try this please !

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

Thanks

Manish

1001
Views
0
Helpful
8
Replies
CreatePlease login to create content