Trouble passing traffic between sites using an ASA VPN solution
I am currently experiencing trouble with VPN traffic between two sites which has me at a loss. I'm sure it is something simple but I can not pinpoint it.
I have an ASA 5510 (running 9.0.3) that I am connecting to from an 819 router using NEM. The tunnel establishes and from anywhere on the inside networks I can access all of the remote site networks, however from the remote networks I can only access as far as the inside interface of the ASA, not even another device on the same subnet as the inside interface. I have checked the traffic for the SA and when pinging from the remote site I can see traffic from the remote network coming into the ASA, but no response. When pinging from behind the ASA I can see bi-directional traffic. I can not see anything in the logs to indicate that the traffic is being dropped, the routing looks good and the crypto maps should work, so I'm at a bit of a loss...
On my older ASA (running 8.2.1) that has a similar config I have numerous remote sites connected via the same methodology. When the 819 I'm using to test the new ASA is pointed to the old ASA it all works fine.
You can initiate traffic from remote side and apply "cap asp type asp-drop all" captures. Just check if you see the packets getting dropped on ASA using "show cap asp | in <ip_address>" This will show you if the packets are getting dropped on the ASA.
Secondly , you can run "show asp drop" after each second (while running continuous traffic from remote side ) to check which section is showing increase in count (e.g flow denied by any rule or tcp packets not in order) and then proceed accordingly.
Using the "show asp drop" command on the ASA I can see that "NAT failed" is incrementing when I ping across. I've had a look, but it looks ok to me. This is my first attempt on a post 8.3 version though, so I'm obviously doing it wrong.
It looks like I might have it resolved. I had the VPN NAT exemption statement after the dynamic web one in the config, therefore the return traffic was not being exempt. I have changed the order and it all looks like it's working.
Thanks for your assistance and pointing me in the right direction.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :