Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco ASA & Router Site to Site VPN up but not passing traffic

Dear all,

Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.

Advance Thanks

ahossain

25 REPLIES

Cisco ASA & Router Site to Site VPN up but not passing traffic

Check

1) The routing

2) The crypto interesting ACL

3) Your NO-NAT ACL

HTH>

Cisco ASA & Router Site to Site VPN up but not passing traffic

Please post your config, I will look into it for you.

Thanks

Cisco ASA & Router Site to Site VPN up but not passing traffic

Please help me urgent on this case.

Cisco ASA & Router Site to Site VPN up but not passing traffic

I replied you yesterday and requested for config.

So, please post the config, I will help you, fast as I can.

thanks

Cisco ASA & Router Site to Site VPN up but not passing traffic

Yes! i have post both site current configuration file, please help me ASAP.

Cisco ASA & Router Site to Site VPN up but not passing traffic

paste the below into the asa

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list no-nat

Cisco ASA & Router Site to Site VPN up but not passing traffic

Thanks Mr. Andrew for your reply, I have apply on asa but still same thing.

Cisco ASA & Router Site to Site VPN up but not passing traffic

at the cli type

clear crypto ipsec sa

clear xlate

then re-establish the VPN and post the output of "show crypto ipsec sa"

Cisco ASA & Router Site to Site VPN up but not passing traffic

Copy this these line on your ASA.

tunnel-group 212.107.106.129 type ipsec-l2l
tunnel-group 212.107.106.129 ipsec-attributes
pre-shared-key your-password-goes-on-whichever-your-password is


Create an ACL as shown below.

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0


Apply the no-nat on the inside interface as shown below.

nat (inside) 0 access-list inside_nat0_outbound

Remove these three lines from ACL encrypt_acl

access-list encrypt_acl extended permit tcp 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list encrypt_acl extended permit esp 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list encrypt_acl extended permit udp 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0


Please add this route on the ASA.
route outside 10.2.2.0 255.255.255.0 212.71.53.36

Remove all these lines.

crypto isakmp enable DMZ
crypto isakmp enable inside

----------------------------------------------------

Now work on your router.

crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
set pfs group2
reverse-route

Now you are good.

ping 10.1.1.x source interface GigabitEthernet0/2

X is host IP behind the ASA.

Let me know, how it is coming along.

Thanks

Rizwan Rafeek.

Cisco ASA & Router Site to Site VPN up but not passing traffic

Dear Rizwan,

Thanks for your support i have apply all as per your configuration, but i have lose the IPsec connectivtiy.

when i type show crypto ipsec sa (nothing show)

Please advise me on this!

Cisco ASA & Router Site to Site VPN up but not passing traffic

Please send a continous ping from a PC behind the ASA to a remote host (i.e. PC) behind the remote router.

Also please post your config just to be sure.

Cisco ASA & Router Site to Site VPN up but not passing traffic

#show cry ips sa

interface: GigabitEthernet0/0
    Crypto map tag: mal, local addr 172.20.34.54

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 212.71.53.38 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.20.34.54, remote crypto endpt.: 212.71.53.38
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: GigabitEthernet0/1
    Crypto map tag: mal, local addr 212.107.106.129

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 212.71.53.38 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 10, #recv errors 0

     local crypto endpt.: 212.107.106.129, remote crypto endpt.: 212.71.53.38
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

Cisco ASA & Router Site to Site VPN up but not passing traffic

Dear all i am looking quick support

Cisco ASA & Router Site to Site VPN up but not passing traffic

Please post your config again.

Cisco ASA & Router Site to Site VPN up but not passing traffic

ASA#

ASA Version 8.2(1)

!

hostname Active

domain-name test.com

!

interface Ethernet0/0

description LAN/STATE Failover Interface

!

interface Ethernet0/1

speed 100

nameif outside

security-level 0

ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4

!

interface Ethernet0/3

description INSIDE

speed 100

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa821-k8.bin

boot config disk0:/running-config

ftp mode passive

dns server-group DefaultDNS

domain-name test.com

access-list deny-flow-max 1

access-list alert-interval 2

access-list allow extended permit ip any any

access-list VPN extended permit ip any any

access-list OUTSIDE extended permit ip any any

access-list al-outside extended permit ip any host 212.107.106.129

access-list al-outside extended permit ip any any

access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list outside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list DMZ_access_out extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip any any

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface failover Ethernet0/0

failover key *****

failover link failover Ethernet0/0

failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any DMZ

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 212.71.53.36 1

route outside 10.2.2.0 255.255.255.0 212.71.53.36 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

service resetoutside

crypto ipsec transform-set mal esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mal 10 set peer 212.107.106.129

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 212.107.106.129

crypto map IPSec_map 10 set transform-set mal

crypto map IPSec_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 outside

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXXX address 212.71.53.38

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set mal esp-3des esp-md5-hmac

!

crypto map mal 10 ipsec-isakmp

set peer 212.71.53.38

set transform-set mal

match address 120

!

interface Loopback0

ip address 10.3.3.1 255.255.255.0

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 172.20.34.54 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

crypto map mal

!

interface GigabitEthernet0/1

ip address 212.107.106.129 255.255.255.248

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

crypto map mal

!

interface GigabitEthernet0/2

description *!* LAN *!*

ip address 10.2.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http secure-server

!

ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248

ip nat inside source route-map nonat pool OUTPOOL overload

ip route 0.0.0.0 0.0.0.0 172.20.34.53

ip route 10.1.1.0 255.255.255.0 212.107.106.130

ip route 192.168.50.0 255.255.255.0 212.71.53.38

!

ip access-list extended outside

remark CCP_ACL Category=1

permit ip any any log

ip access-list extended outside1

remark CCP_ACL Category=1

permit ip any any log

!

access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 130 permit ip 10.2.2.0 0.0.0.255 any

!

!

!

!

route-map nonat permit 10

match ip address 130

!

!

!

control-plane

ASA Version 8.2(1)
!
hostname Active
domain-name test.com
!
interface Ethernet0/0
description LAN/STATE Failover Interface
!
interface Ethernet0/1
speed 100
nameif outside
security-level 0
ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
!
interface Ethernet0/3
description INSIDE
speed 100
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa821-k8.bin
boot config disk0:/running-config
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list deny-flow-max 1
access-list alert-interval 2
access-list allow extended permit ip any any
access-list VPN extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list al-outside extended permit ip any host 212.107.106.129
access-list al-outside extended permit ip any any
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key *****
failover link failover Ethernet0/0
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any DMZ
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mal 10 set peer 212.107.106.129
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 212.107.106.129
crypto map IPSec_map 10 set transform-set mal
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside

==================================================================

Remote-Router#

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address 212.71.53.38
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set mal esp-3des esp-md5-hmac
!
crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
!
!
!
!
!
interface Loopback0
ip address 10.3.3.1 255.255.255.0
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 172.20.34.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map mal
!
interface GigabitEthernet0/1
ip address 212.107.106.129 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map mal
!
interface GigabitEthernet0/2
description *!* LAN *!*
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
ip nat inside source route-map nonat pool OUTPOOL overload
ip route 0.0.0.0 0.0.0.0 172.20.34.53
ip route 10.1.1.0 255.255.255.0 212.107.106.130
ip route 192.168.50.0 255.255.255.0 212.71.53.38
!
ip access-list extended outside
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended outside1
remark CCP_ACL Category=1
permit ip any any log
!
access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 130
!
control-plane

Cisco ASA & Router Site to Site VPN up but not passing traffic

There is a dual static crypto instance please delete the highlighted line below.

crypto map mal 10 set peer 212.107.106.129

FYI... Your FW is open to anything and everything.

So remove this line as well.

access-list outside_access_in extended permit ip any any

access-group outside_access_in_1 in interface outside

I also hope that you have configured the tunnel-group as wel, as I do not see them on the config.

tunnel-group 212.107.106.129 type ipsec-l2l

tunnel-group 212.107.106.129 ipsec-attributes

pre-shared-key your-password-goes-on-whichever-your-password is

Please add this line on the router.

crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
set pfs group2
reverse-route

let me know.

thanks

Cisco ASA & Router Site to Site VPN up but not passing traffic

Dear Rizwan,

I have remove & apply your configuration but still same problem, please see the attached PING!!! report.

Cisco ASA & Router Site to Site VPN up but not passing traffic

This is incorrect:

ip route 10.1.1.0 255.255.255.0 212.107.106.130

Also please change this as well on the router.

ip route 10.1.1.0 255.255.255.0 212.212.71.53.38

I assume "212.71.53.38" is your default-gateway address on the router.

Cisco ASA & Router Site to Site VPN up but not passing traffic

I think current route is correct:

ip route 10.1.1.0 255.255.255.0 212.107.106.130

Because our remote site router has two outside interfaces

1. 212.107.106.129

2. 172.20.34.53

And static ip route 0.0.0.0 0.0.0.0 172.20.34.53

Firewall has one outside interface

1. 212.71.53.38

Re: Cisco ASA & Router Site to Site VPN up but not passing traff

Yes you are right.

So please remote highlighted line from GigabitEthernet0/0

interface GigabitEthernet0/0

ip address 172.20.34.54 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

crypto map mal

---------------------------------------------

When done, ping the remote hosts.

Cisco ASA & Router Site to Site VPN up but not passing traffic

You were able to ping?

Cisco ASA & Router Site to Site VPN up but not passing traffic

Please issue this command on the ASA CLI and please post the output reply

packet-tracer input outside icmp 10.2.2.1 8 0 10.1.1.2

thanks

Cisco ASA & Router Site to Site VPN up but not passing traffic

Dear Rizwan,

Again I would like to thanks for your kind support, but still nothing!

!

Result of the command: "packet-tracer input outside icmp 10.2.2.1 8 0 10.1.1.2"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.1.0        255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Cisco ASA & Router Site to Site VPN up but not passing traffic

Dear all,

Again i am looking your support, please help me on this case.

Cisco ASA & Router Site to Site VPN up but not passing traffic

Do you have an ACL applied on the inside ?

Please copy your whole config from both router and ASA but do not forget to remove usersnames and passwords.

thanks

2172
Views
0
Helpful
25
Replies