Problems with ASA routed vpn

jjeong · ‎12-01-2019

HI.

I connect paloalto and ASA VPN .

I set up a connection from asa to routed base vpn.

The tunnel was connected and I thought there would be no problem.

However, a problem was found.

Communication from Palo Alto to asa works well, but communication from asa to Palo Alto does not work.

I don't know why only one direction works. (inbound from asa)

Please tell me what to look for.

The approximate config is shown below.

-------------------

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800

crypto ikev1 enable outside

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto ipsec profile ABC
set ikev1 transform-set transform-amzn
set pfs group2
set security-association lifetime seconds 3600

interface Tunnel0
nameif ABC
ip address 10.200.3.2 255.255.255.252
tunnel source interface outside
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile ABC

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key ********
isakmp keepalive threshold 10 retry 10

route ABC 10.1.0.0 255.255.0.0 10.200.3.1
route ABC 10.2.0.0 255.255.0.0 10.200.3.1

access-list acl_ABC extended permit icmp any any
access-list acl_ABC extended permit ip any any

accees-group acl_ABC in interface ABC

--------------------------

What else do I need?

I would appreciate it if you let me know.

Rob Ingram · ‎12-01-2019

Hi,
Do you have NAT configured on the ASA? You may need to define a NAT exemption rule. Please provide the output of "show nat"

Can you run packet-tracer and provide the output for review e.g - "packet-tracer input INSIDE tcp 10.1.0.2 3000 10.200.3.2 80"