VPN tunnel went down after upgrading intermediate ASA to 8.4
I have site to site VPN tunnel configured between 2 ASAs. The tunnelled traffic passes through my internet firewall. Recently I upgraded my internet firewall to 8.4 while my VPN ASAs run 8.2 image.
After Upgrading my internet firewall to 8.4,VPN tunnel went down. I can see encrypted packets increasing on VPN box behind my internet ASA but don't see any decrypted packets. Neither I can see hits on internet firewall.
Is there something which I have to look at in 8.4 configuration on my internet firewall?
In case you use nat for your internal vpn box and upgraded your internet asa from a pre-8.3 version towards 8.4, check following document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
Basically you should change your inbound acl rule to allow vpn traffic towards the internal ip address of the vpn box and make a nat rule with source external public ip to inside internal ip.
There are notable changes in ACL and NAT syntax in new 8.3+ version of ASA.... If you have NAT or NAT-exemption, you need to modify that accordingly. Also you ACL should reflect the real ip's of the segment rather mapping the NATed IP in ACL's.... So all these things you need to take care....
Earlier in 8.2 version.... for your inbound acl, which is applied on outside interface.... you could have mentioned a rule like this
access-list inbound permit ip host 126.96.36.199 host 188.8.131.52
(where 184.108.40.206 is the source from outside and 220.127.116.11 is the NATed ip address of the segment, which has a private IP segment as its real ip...say 10.1.1.1)
Your new version 8.3+ should have
access-list inbound permit ip host 18.104.22.168 host 10.1.1.1
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :