02-09-2012 03:00 PM - edited 02-21-2020 05:52 PM
We have two Cisco ASA firewall with a "healthy" site to site IPsec VPN between them. Traffic sent over the VPN is not translated, while all other traffic to internet is translated to public IP address.
The problem is while the HQ ASA encrypts and sends traffic correctly to branch ASA, the branch ASA does not encrypt the responses, nor does it send over the VPN - it sends the responses to internet (to a RFC1918 address).
The configuration looks correct, the VPN is established. Any help or a point in the right direction would be appreciated.
Thank you,
Charles
This is what we see on the branch...
sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 12, local addr: x.x.x..210
access-list Outside_12_cryptomap extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0
local ident (addr/mask/prot/port): (10.40.14.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.65.0/255.255.255.0/0/0)
current_peer: 98.100.154.83
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.210, remote crypto endpt.:y.y.y.83
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 162FA7F9
current inbound spi : D58FCAAE
inbound esp sas:
spi: 0xD58FCAAE (3582970542)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 86016, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28433)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x162FA7F9 (372221945)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 86016, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28433)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
02-09-2012 03:24 PM
Hello Charles,
Can you check the No_nat configuration for the Branch site and post it if need it?
Regards,
Julio
02-09-2012 06:36 PM
Hi, Julio,
Here are the relevant bits of the configuration...thank you for taking a look; this one has me stymied.
Charles
ASA Version 8.2(5)
!
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 11.11.38.210 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 99
ip address 10.40.14.254 255.255.255.0
!
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
domain-name XXXstZZZ
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network XXX-MAIN-NET
description XXX-MAIN addresses/networks permitted access
network-object 192.168.65.0 255.255.255.0
object-group network XXX-MAIN-ST-ZZZ-DESTINATIONS
description devices/addresses/networks that XXX-MAIN can access.
network-object 10.40.14.0 255.255.255.0
object-group service XXX-MAIN-PORTS
description ports and services that XXX-MAIN can access.
service-object ip
service-object icmp
access-list Outside_nat0_outbound extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0
access-list SplitTunnelingLAN standard permit 192.168.65.0 255.255.255.0
access-list XXX-MAIN-OUTSIDE-TO-INSIDE remark Permit XXX-MAIN traffic to (identifies what is to be encrypted)
access-list XXX-MAIN-OUTSIDE-TO-INSIDE extended permit object-group XXX-MAIN-PORTS object-group XXX-MAIN-NET object-group XXX-MAIN-ST-ZZZ-DESTINATIONS
access-list Outside_12_cryptomap extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu Inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Outside) 0 access-list Outside_nat0_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 11.11.38.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-HMAC esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 12 match address Outside_12_cryptomap
crypto map Outside_map 12 set peer 12.12.154.83
crypto map Outside_map 12 set transform-set ESP-AES-256-SHA
crypto map Outside_map 12 set nat-t-disable
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
telnet timeout 5
ssh 10.40.14.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXX-MAIN-IPSEC-POLICY internal
group-policy XXX-MAIN-IPSEC-POLICY attributes
vpn-filter value XXX-MAIN-OUTSIDE-TO-INSIDE
vpn-tunnel-protocol IPSec
tunnel-group 12.12.154.83 type ipsec-l2l
tunnel-group 12.12.154.83 general-attributes
default-group-policy XXX-MAIN-IPSEC-POLICY
tunnel-group 12.12.154.83 ipsec-attributes
pre-shared-key *****
!
: end
02-09-2012 09:51 PM
Hello,
Hmm please provide the following
packet-tracer input inside tcp 10.40.14.3 1025 192.168.65.8 80
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide