https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592772#M1089239 <P>Can we see asa config?</P> Thu, 14 Apr 2022 17:18:27 GMT MHM Cisco World 2022-04-14T17:18:27Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592760#M1089237 <P>I have a tunnel (ASA &lt;&gt; Meraki) tunnel is up and I can verify both ends.<BR /><BR />Problem is that, IPSEC from ASA can't encapsulate any packets but can decapsulate.</P> Thu, 14 Apr 2022 17:05:04 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592760#M1089237 baroncse 2022-04-14T17:05:04Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592763#M1089238 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1254272">@baroncse</a> so it's probably a NAT or routing issue on the ASA. Do you have a NAT exemption rule on the ASA to ensure traffic between your local network to the remote network(s) is not unintentially translated?</P> <P>&nbsp;</P> <P>Example:</P> <P>&nbsp;</P> <PRE>object network LOCAL<BR />&nbsp;subnet 192.168.10.0 255.255.255.0<BR />object network REMOTE<BR />&nbsp;subnet 192.168.20.0 255.255.255.0<BR />nat (INSIDE,OUTSIDE) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp </PRE> <P>&nbsp;</P> Thu, 14 Apr 2022 17:08:52 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592763#M1089238 Rob Ingram 2022-04-14T17:08:52Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592772#M1089239 <P>Can we see asa config?</P> Thu, 14 Apr 2022 17:18:27 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592772#M1089239 MHM Cisco World 2022-04-14T17:18:27Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592834#M1089243 <P>I do have this. This ASA is on default so far, I only have 2 NAT, 1 for Anyconnect and this Tunnel.<BR /><BR /></P><P>object network LOCAL<BR />subnet 10.10.10.0 255.255.255.0<BR />object-group network REMOTE<BR />network-object 10.17.2.0 255.255.255.0<BR />network-object 10.17.1.0 255.255.255.0<BR /><BR />access-list acl_cryptomap extended permit ip object LOCAL object-group REMOTE</P><P>nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup</P><P>crypto ikev1 policy 10<BR />authentication pre-share<BR />encryption aes-256<BR />hash sha<BR />group 2<BR />lifetime 86400</P><P>tunnel-group 1.1.1.1 type ipsec-l2l<BR />tunnel-group 1.1.1.1 ipsec-attributes<BR />ikev1 pre-shared-key ********</P><P><BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA_REMOTE esp-aes-256 esp-sha-hmac</P><P>crypto map outside_map 50 match address acl_cryptomap<BR />crypto map outside_map 50 set peer 1.1.1.1<BR />crypto map outside_map 50 set ikev1 transform-set ESP-AES-256-SHA_REMOTE<BR />crypto map outside_map 50 set security-association lifetime kilobytes unlimited</P> Thu, 14 Apr 2022 18:47:33 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592834#M1089243 baroncse 2022-04-14T18:47:33Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592838#M1089244 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1254272">@baroncse</a> is traffic routed to the ASA and out the via the outside interface?</P> <P>&nbsp;</P> <P>Run packet-tracer twice and provide the output of the second, example:</P> <P>&nbsp;</P> <PRE>packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80</PRE> <P>Provide the output of "show nat detail" and "show crypto ipsec sa" </P> Thu, 14 Apr 2022 18:51:52 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592838#M1089244 Rob Ingram 2022-04-14T18:51:52Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592848#M1089246 <P>Weird when I sent this:</P><PRE>packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80</PRE><P>Packets got encapsulated and I can ping from local to remote now.<BR /><BR /><BR />pcap second:</P><P>Phase: 1<BR />Type: FLOW-LOOKUP<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Found flow with id 3857, using existing flow</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />Action: allow<BR /><BR /><BR /><BR />sh nat det:<BR /><BR /></P><P>1 (inside) to (outside) source static LOCAL LOCAL destination static Anyconnect_Users Anyconnect_Users no-proxy-arp route-lookup<BR />translate_hits = 0, untranslate_hits = 0<BR />Source - Origin: 10.10.10.0/24, Translated: 10.10.10.0/24<BR />Destination - Origin: 172.0.0.0/24, Translated: 172.0.0.0/24<BR /><BR />2 (inside) to (outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup<BR />translate_hits = 203, untranslate_hits = 206<BR />Source - Origin: 10.10.10.0/24, Translated: 10.10.10.0/24<BR />Destination - Origin: 10.17.2.0/24, 10.17.1.0/24, Translated: 10.17.2.0/24, 10.17.1.0/24<BR /><BR /></P><P>Auto NAT Policies (Section 2)<BR />1 (inside) to (outside) source dynamic inside-nat interface<BR />translate_hits = 2778, untranslate_hits = 19<BR />Source - Origin: 10.10.10.0/24, Translated: ********** (outside int ip)<BR /><BR />2 (outside) to (outside) source dynamic Anyconnect-NAT interface<BR />translate_hits = 0, untranslate_hits = 0<BR />Source - Origin: 172.0.0.0/24, Translated: ************ (outside int ip)<BR /><BR /></P><P><BR /><BR /><BR /><BR /></P> Thu, 14 Apr 2022 19:00:53 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592848#M1089246 baroncse 2022-04-14T19:00:53Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592852#M1089247 <P>from LOCAL device connected to ASA I can ping and RDP but from REMOTE device end I can't ping ASA and the device. Looks like one way comms.</P> Thu, 14 Apr 2022 19:11:17 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592852#M1089247 baroncse 2022-04-14T19:11:17Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592912#M1089249 <P><SPAN>object-group network <STRONG>REMOTE</STRONG></SPAN><BR /><SPAN>network-object <FONT color="#FF0000"><U>10.17.2.0</U></FONT> 255.255.255.0</SPAN><BR /><SPAN>network-object <U><FONT color="#FF0000">10.17.1.0</FONT></U> 255.255.255.0</SPAN></P><P>&nbsp;</P><PRE>packet-tracer input inside tcp 10.10.10.5 3000 <U><FONT color="#FF0000">10.10.17.5</FONT></U> 80</PRE><P><BR />just note:- packet-tracer destination is different than ACL and NAT?<BR /><BR />are you sure the traffic is pass ?</P><P>&nbsp;</P> Thu, 14 Apr 2022 21:52:12 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4592912#M1089249 MHM Cisco World 2022-04-14T21:52:12Z https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4593548#M1089266 <P>he provided this one&nbsp;</P><PRE>packet-tracer input inside tcp 10.10.10.5 3000 <U><FONT color="#FF0000">10.10.17.5</FONT></U> 80</PRE><P>but I used this one</P><PRE>packet-tracer input inside tcp 10.10.10.10 3000 <U><FONT color="#FF0000">10.17.1.5</FONT></U> 80</PRE><P>&nbsp;All set now.&nbsp;</P> Fri, 15 Apr 2022 14:02:14 GMT https://community.cisco.com/t5/network-security/asa-is-not-encapsulating-from-ipsec/m-p/4593548#M1089266 baroncse 2022-04-15T14:02:14Z