Solved: ASA is not encapsulating from IPSEC

baroncse · ‎04-14-2022

I have a tunnel (ASA <> Meraki) tunnel is up and I can verify both ends.

Problem is that, IPSEC from ASA can't encapsulate any packets but can decapsulate.

Rob Ingram · ‎04-14-2022

@baroncse is traffic routed to the ASA and out the via the outside interface?

Run packet-tracer twice and provide the output of the second, example:

packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80

Provide the output of "show nat detail" and "show crypto ipsec sa"

View solution in original post

Rob Ingram · ‎04-14-2022

@baroncse so it's probably a NAT or routing issue on the ASA. Do you have a NAT exemption rule on the ASA to ensure traffic between your local network to the remote network(s) is not unintentially translated?

Example:

object network LOCAL
 subnet 192.168.10.0 255.255.255.0
object network REMOTE
 subnet 192.168.20.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp

baroncse · ‎04-14-2022

I do have this. This ASA is on default so far, I only have 2 NAT, 1 for Anyconnect and this Tunnel.

object network LOCAL
subnet 10.10.10.0 255.255.255.0
object-group network REMOTE
network-object 10.17.2.0 255.255.255.0
network-object 10.17.1.0 255.255.255.0

access-list acl_cryptomap extended permit ip object LOCAL object-group REMOTE

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key ********

crypto ipsec ikev1 transform-set ESP-AES-256-SHA_REMOTE esp-aes-256 esp-sha-hmac

crypto map outside_map 50 match address acl_cryptomap
crypto map outside_map 50 set peer 1.1.1.1
crypto map outside_map 50 set ikev1 transform-set ESP-AES-256-SHA_REMOTE
crypto map outside_map 50 set security-association lifetime kilobytes unlimited

Rob Ingram · ‎04-14-2022

@baroncse is traffic routed to the ASA and out the via the outside interface?

Run packet-tracer twice and provide the output of the second, example:

packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80

Provide the output of "show nat detail" and "show crypto ipsec sa"

baroncse · ‎04-14-2022

Weird when I sent this:

packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80

Packets got encapsulated and I can ping from local to remote now.

pcap second:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 3857, using existing flow

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow

sh nat det:

1 (inside) to (outside) source static LOCAL LOCAL destination static Anyconnect_Users Anyconnect_Users no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.0/24, Translated: 10.10.10.0/24
Destination - Origin: 172.0.0.0/24, Translated: 172.0.0.0/24

2 (inside) to (outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
translate_hits = 203, untranslate_hits = 206
Source - Origin: 10.10.10.0/24, Translated: 10.10.10.0/24
Destination - Origin: 10.17.2.0/24, 10.17.1.0/24, Translated: 10.17.2.0/24, 10.17.1.0/24

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-nat interface
translate_hits = 2778, untranslate_hits = 19
Source - Origin: 10.10.10.0/24, Translated: ********** (outside int ip)

2 (outside) to (outside) source dynamic Anyconnect-NAT interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.0.0.0/24, Translated: ************ (outside int ip)

baroncse · ‎04-14-2022

from LOCAL device connected to ASA I can ping and RDP but from REMOTE device end I can't ping ASA and the device. Looks like one way comms.

MHM Cisco World · ‎04-14-2022

Can we see asa config?

MHM Cisco World · ‎04-14-2022

object-group network REMOTE
network-object 10.17.2.0 255.255.255.0
network-object 10.17.1.0 255.255.255.0

packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80

just note:- packet-tracer destination is different than ACL and NAT?

are you sure the traffic is pass ?

baroncse · ‎04-15-2022

he provided this one

packet-tracer input inside tcp 10.10.10.5 3000 10.10.17.5 80

but I used this one

packet-tracer input inside tcp 10.10.10.10 3000 10.17.1.5 80

All set now.