cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
721
Views
0
Helpful
3
Replies

L2L VPN Traffic

jack samuel
Level 1
Level 1

Dears

my users from core are able to access the server which is on L2L VPN connection but  users accessing from MPLS are not able to access.

  • Firewall A has a  Public IP from /29 which is NATTED to   firewall outside interface private IP
  • Users from inside are able to access the L2L VPN remote server but the users accessing from MPLS cannot.
  • i can see the traffic passing from firewall A but i cant see the return traffic from vpn for inside users as well as MPLS users.

How i can verify the return traffic from the server i am receiving or not for my MPLS users

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

There are multiple ways.

If you manage all firewall (both end) then you can use packet-tracer, look at asp vpn table and crypto IPSec to validate that traffic on both ASA is taking the VPN tunnel (on Firewall A to see that from firewall A the traffic is routed through L2L tunnel and on the other end that reply to MPLS is also going through the L2L). Here a document I made to help you with commands: https://supportforums.cisco.com/document/13299206/asa-how-troubleshoot-vpn-l2l-ensure-traffic-passing-through-vpn

On your ASAs, does your acl have multiple ace (lines: 1 for inside subnet and 1 for mpls subnets)? If yes, by issuing show crypto ipsec sa peer x.x.x.x you can see if you have encaps/decaps traffic for all ace. This will confirm that you have bi-directionnal communication.

If you suspect some drops, you have the logs, debugs and also the asp drop table. 

You can also create a packet capture on ASA (wireshark) to see if traffic is flooding on both ways.

The issue could be rules (if sysopt connection permit-vpn isn't issued), nat,..

Maybe, if you share your config (by removing confidential data), we can help you to figure it out.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear francesco

Please find the attached topology

On your ASAs, does your acl have multiple ace (lines: 1 for inside subnet and 1 for mpls subnets)? If yes, by issuing show crypto ipsec sa peer x.x.x.x you can see if you have encaps/decaps traffic for all ace. This will confirm that you have bi-directionnal communication.

If you suspect some drops, you have the logs, debugs and also the asp drop table. 

You can also create a packet capture on ASA (wireshark) to see if traffic is flooding on both ways

ACL contains only 1 line

how i will know by packets encryption whose this traffic belongs to , means it belongs to MPLS or Internal ??

if i start packet capture on asa on inside interface for return traffic from server to MPLS users ,, i will be able to see the traffic ???

i will elaborate more on my configs 

  1. User from inside and MPLS are dynamically natted on firewall A by ip address 172.16.10.7,
  2. when ASA-VPN firewall receives the traffic by ip add 172.16.10.7 it dynamic NAT to 172.16.4.7 by below commands which shows all inside and MPLS users will be natted to IP 172.16.4.7
  3. For vpn interesting traffic we have the below access-list which is allowing the whole subnet of 172.16.4.0

access-list VPN extended permit ip 172.16.4.0 255.255.255.0 10.10.30.0 255.255.255.0

object network obj-172.16.10.7
 host 172.16.10.7

object network obj-172.16.10.7
 nat (inside,outside) dynamic 172.16.4.7

crypto map VPN-TUNNEL 20 match address VPN
crypto map VPN-TUNNEL 20 set peer XX.XX.XX.XX
crypto map VPN-TUNNEL 20 set ikev1 transform-set crypto
crypto map VPN-TUNNEL 20 set security-association lifetime seconds 864000
crypto map VPN-TUNNEL 20 set reverse-route

Hi 

I'm sorry but i don't understand your design. 

Let me recap:

Asa vpn is the one mounting a L2L vpn with another end asa, right? 

Asa vpn is doing a nat of a mpls host when reaching outside interface? Do you see your nat created on asa?

If you share your configs it will be easier. 

Anyway, if you capture on the inside you'll be able to see the encrypted traffic. 

You can also test your flow by using packet-tracer with detail keyword to see all information. This will show you the packet when it arrives to asa, nat and forwarded to the vpn.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: