I'm having difficulties getting the following setup to work. I could do with a second opinion, I'd really appreciate if someone could review my setup and let me know if I'm missing something obvious?
High level overview (corresponds to uploaded sanitised running configuration):
- Cisco ASA 5520 running 8.4(2) (in HA pair)
- Outside Interface: a.a.a.a (the VPN interface)
- Customer's VPN peer: c.c.c.c
- Packet Source: object-group network int_Customer1Access (a group of internal clients, e.g. object network int_APPa1 172.16.20.114)
- Packet Destination: object network cst_Customer1APIServer-Backup (the server at the far end of the VPN tunnel, 10.9.4.117)
- Traffic Type: tcp/3389,tcp/8080 (but for now, set to all 'ip' for troubleshooting purposes)
Now, I have a Dynamic NAT rule in place to NAT the source address, e.g. 172.16.20.114, behind the ASA's outside interface c.c.c.c, before sending the traffic down the tunnel. The tunnel has been established, however I can't seem to get the ASA to actually route traffic down that tunnel - the IPsec Site-to-Site "Bytes TX" counter always reads 0 after pings and repeated failed connection attempts to tcp/8080 or tcp/3389.
I've noticed some strange behaviour in Packet Tracer, if the tunnel has not yet been established...
If the tunnel is not yet up, the phases read ROUTE-LOOKUP, ROUTE-LOOKUP, ACCESS-LIST, IP-OPTIONS, FOVER, NAT, VPN (drop), RESULT
Run the trace a second time, the tunnel having established itself from the previous run, and the phases read:
ROUTE-LOOKUP, ROUTE-LOOKUP, ACCESS-LIST, IP-OPTIONS, FOVER, NAT, ACCESS-LIST (drop), RESULT
As you can see the VPN phase is replaced with the ACCESS-LIST phase. Eitherway, it always ends in a drop!
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.