Solved: Site to Site VPN only passing traffic in one direction

mikkel003 · ‎04-14-2014

Hi Guys

I have a little problem I hope you can help me with.

I have a site to site LAN VPN connection up and running between a Cisco ASA 5512X and a Cisco 881 router running Zone Based Firewall. The tunnel comes up OK.

From the router:

MAGURELE-R#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
89.45.179.202 89.249.1.238 QM_IDLE 2098 ACTIVE

IPv6 Crypto ISAKMP SA

MAGURELE-R#

MAGURELE-R#sh crypto ipsec sa

interface: FastEthernet4
Crypto map tag: outside_map, local addr 89.45.179.202

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
current_peer 89.249.1.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 15841, #pkts decrypt: 15841, #pkts verify: 15841
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 89.45.179.202, remote crypto endpt.: 89.249.1.238
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x6B607F06(1801486086)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x53D22529(1406281001)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000040, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4284358/2828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6B607F06(1801486086)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000040, crypto map : outside_map
sa timing: remaining key lifetime (k/sec): (4284359/2828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
MAGURELE-R#

I am sure the VPN settings is the same in both ends. But only traffic from the ASA side is passed.

I can see the traffic is comming trough from the ASA side on the router:

MAGURELE-R#sh log | i 10.2.0.254
*Apr 14 11:43:25.785: %SEC-6-IPACCESSLOGDP: list customer_access permitted icmp 10.2.0.254 -> 192.168.201.1 (0/0), 1 packet
*Apr 14 11:48:52.025: %SEC-6-IPACCESSLOGDP: list customer_access permitted icmp 10.2.0.254 -> 192.168.201.1 (0/0), 3 packets
*Apr 14 11:58:52.025: %SEC-6-IPACCESSLOGDP: list customer_access permitted icmp 10.2.0.254 -> 192.168.201.1 (0/0), 3 packets
MAGURELE-R#

But never no retur traffic.

Router IOS is: Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

I am kind of lost here. What might the problem be?

Regards

Mikkel

Rudy Sanjoko · ‎04-14-2014

Had a quick look on your config. It seems that all traffics are being natted, I believe this is why the return traffic are not working/can't reach back to the ASA. You need to make sure traffics from 192.168.201.0/24 destined to 10.2.0.0/24 are not being natted by the router.

Change your ACL#199 to the following:

access-list 199 deny ip 192.168.201.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 199 permit ip any any

HTH,

View solution in original post

Marvin Rhoads · ‎04-14-2014

The key bits of your configuration for the VPN are:

ip access-list extended customer
 permit ip 192.168.201.0 0.0.0.255 10.2.0.0 0.0.0.255
ip access-list extended customer_access
 permit ip any any log

crypto map outside_map 10 ipsec-isakmp
 set peer 89.249.1.238
 set ip access-group customer_access in
 set transform-set SCADA
 match address customer

We see from the output you provided that the Phase 2 SA is established as desired but only decaps (incoming traffic) are observed - no encaps (outgoing traffic).

I may have missed it in your config file but I don't see a NAT exemption for the return traffic. Your NAT setup uses:

ip nat inside source list 199 interface FastEthernet4 overload

access-list 199 permit ip any any

We would typically look for something like:

ip nat inside source route-map nonat interface FastEthernet0 overload

route-map nonat permit 10
 match ip address customer_access

...followed by the other NAT you have.

mikkel003 · ‎04-14-2014

Hi Marvin

Thanks for the reply. I have tried to do the suggested. But with no luck:

MAGURELE-R# sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
89.45.179.202 89.249.1.238 QM_IDLE 2102 ACTIVE

IPv6 Crypto ISAKMP SA

MAGURELE-R#

MAGURELE-R# sh crypto ipsec sa

interface: FastEthernet4
Crypto map tag: outside_map, local addr 89.45.179.202

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
current_peer 89.249.1.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 15874, #pkts decrypt: 15874, #pkts verify: 15874
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 89.45.179.202, remote crypto endpt.: 89.249.1.238
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xA3ED461E(2750236190)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xEC584333(3965207347)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000040, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4359504/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA3ED461E(2750236190)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000040, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4359505/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
MAGURELE-R#

MAGURELE-R#sh ip nat tra | i 10.2.0.254
icmp 89.45.179.202:67 192.168.201.240:67 10.2.0.254:67 10.2.0.254:67
tcp 89.45.179.202:3389 192.168.201.240:3389 10.2.0.254:62719 10.2.0.254:62719
MAGURELE-R#

It seems like the NAT is OK.

But still no encaps.

Any other suggestion?

Regards

Mikkel

Rudy Sanjoko · ‎04-14-2014

Had a quick look on your config. It seems that all traffics are being natted, I believe this is why the return traffic are not working/can't reach back to the ASA. You need to make sure traffics from 192.168.201.0/24 destined to 10.2.0.0/24 are not being natted by the router.

Change your ACL#199 to the following:

access-list 199 deny ip 192.168.201.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 199 permit ip any any

HTH,

mikkel003 · ‎04-14-2014

Hi Rudy

Thanks for the reply. That was it.

Regards

Mikkel