08-16-2010 09:06 AM
Hello,
I am trying to establish a site-to-site VPN tunnel between 2 offices. One office has a Cisco 1841 and the other a pair of ASA 5510's. I get the tunnel to establish without a problem. The problem is that the traffic going to the 1841 destined for the ASA will not encrypt for this particular tunnel. I get decaps on the session but no encaps. I have reconfigured the tunnel several times but keep getting the same result:
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 202.41.148.5 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 202.41.148.5
Desc: (none)
IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
Capabilities:(none) connid:98 lifetime:23:45:02
IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 17 drop 0 life (KB/Sec) 4569995/2704
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4569996/2704
Any suggestions would be greatly appreciated.
Andy
Solved! Go to Solution.
08-16-2010 11:21 AM
Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process. Please add the line below above the permit statement and then test again.
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255
08-16-2010 09:24 AM
I would start by looking into your routing, NAT, and ACL configurations. Is this router in the default routed path for the hosts that you are trying to reach via the tunnel? If not, you may need to add static routes or configure RRI and a routing protocol in order to resolve. If the return traffic is getting to the router, ensure that it is not being blocked by an input ACL. Also make sure that the return traffic is being exempt from any NAT policies that you may have.
08-16-2010 10:25 AM
I copied the same config that I made for another tunnel that is working. This router serves as the DG for all machines. There are no inbound ACL's that would affect this traffic. I am even getting hits on the configured access-list that the traffic needs to match. When I run a trace from a machine, it hits the router and then goes outside without encrypting. When I run a trace from the same machine to another location, it encrypts and travels over the tunnel.
I don't even know what other debugs to run beside debug crypto ipsec and debug crypto isakmp that would help.
08-16-2010 10:28 AM
Can you post your configuration for me to review?
08-16-2010 11:09 AM
08-16-2010 11:21 AM
Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process. Please add the line below above the permit statement and then test again.
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255
08-16-2010 11:32 AM
That was it!. What is confusing is that I don't see where that access-list is applied to.
Thanks for your help,
Andy
08-16-2010 11:37 AM
Your outbound NAT (PAT) configuration:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
Route-map SDM_RMAP_1 is associated with ACL100:
route-map SDM_RMAP_1 permit 1
match ip address 100
Traffic that is denied in ACL100 will be exempt from NAT while traffic that is permitted will be processed using PAT based on the overload keyword above.
08-16-2010 11:23 AM
Try this please !
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255
Thanks
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide