cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2291
Views
0
Helpful
6
Replies

side-to-side vpn only comunicating in one direction

NadineMeins
Level 1
Level 1

Hi all together,

My problem is that I have a running vpn connection between cisco asa 5505 and a LANCOM 1711 VPN that is only letting traffic through in one direction. Meaning I can ping and act via Windows RDP from the net behind the Cisco (net 192.168.115.0/255.255.255.0) to the LANCOM-net (192.168.0.0./255.255.255.0) but it is not working in the other direction.

On the Cisco net there has been used an other LANCOM before und the VPN was working without problems. We now just took the configuration and fixed it to the Cisco.

And as the tunnel is established I do not see the reason why the LANCOM packages do not come though. In the Syslog of the Cisco there is no reaction.

Can anybody help?

6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

This could be due to numerous reasons routing related, NAT in the transit path, ESP being blocked, can you post your configurations? Also have you enabled NAT-T?

Also have a look at:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution11

Regards

Farrukh

Hi!

Thx for replying.

This is my configuration:

Saved

:

ASA Version 8.2(1)

!

hostname ASABrandsDEBU

domain-name brands.local

enable password fuuwAM47BOb7KkRB encrypted

passwd 906qOuTz0f2InvIK encrypted

names

name 85.112.230.6x Internet description Internet

name 192.168.116.96 VPN-makeIT description VPN-makeIT

name 192.168.115.10 SRV-BrandsS01 description SRV-BrandsS01

name 192.168.115.30 SRV-BrandsS03 description SRV-BrandsS03

name 192.168.115.25 SRV-Testserver description SRV-Testserver

name 217.146.152.10x GW-INTEX description GW-INTEX

name 62.153.136.22x GW-Martinnet description GW-Martinnet

name 62.72.79.19x GW-Muenster description GW-Muenster

name 213.76.140.222 GW-Polen description GW-Polen

name 192.168.115.0 NW-Buchholz description NW-Buchholz

name 192.168.114.0 NW-DMZ description NW-DMZ

name 192.168.0.0 NW-Muenster description NW-Muenster

name 192.168.19.0 NW-Polen description NW-Polen

name 192.168.117.96 VPN-Brands-Admin description VPN-Brands-Admin

name 192.168.120.96 VPN-Brands-CM description VPN-Brands-CM

name 192.168.118.96 VPN-Brands-GS description VPN-Brands-GS

name 192.168.119.96 VPN-Brands-Sales description VPN-Brands-Sales

name 192.168.121.96 VPN-Extern description VPN-Extern

name 194.49.23.0 NW-INTEX description NW-INTEX

name 212.185.56.0 NW-Martinnet description NW-Martinnet

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.115.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 85.112.230.12x 255.255.255.252

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.114.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup dmz

dns server-group DefaultDNS

domain-name brands.local

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object NW-Muenster 255.255.255.0

network-object host GW-Muenster

object-group network DM_INLINE_NETWORK_2

network-object NW-Muenster 255.255.255.0

network-object host GW-Muenster

access-list makeIT_splitTunnelAcl standard permit NW-Buchholz 255.255.255.0

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 VPN-makeIT 255.255.255.240

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 VPN-Brands-Admin 255.255.255.240

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 VPN-Brands-GS 255.255.255.240

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 VPN-Brands-Sales 255.255.255.240

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 VPN-Brands-CM 255.255.255.240

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 VPN-Extern 255.255.255.240

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 NW-Polen 255.255.255.0

access-list inside_nat0_outbound extended permit ip NW-Buchholz 255.255.255.0 NW-Martinnet 255.255.255.0

access-list Brands-Admin_splitTunnelAcl standard permit NW-Buchholz 255.255.255.0

access-list Brands-GS_splitTunnelAcl standard permit NW-Buchholz 255.255.255.0

access-list Brands-Sales_splitTunnelAcl standard permit NW-Buchholz 255.255.255.0

access-list Brands-CM_splitTunnelAcl standard permit NW-Buchholz 255.255.255.0

access-list Extern_splitTunnelAcl standard permit NW-Buchholz 255.255.255.0

access-list outside_cryptomap extended permit ip NW-Buchholz 255.255.255.0 NW-Muenster 255.255.255.0

access-list outside_2_cryptomap extended permit ip NW-Buchholz 255.255.255.0

NW-Polen 255.255.255.0

access-list outside_3_cryptomap extended permit ip NW-Buchholz 255.255.255.0 NW-INTEX 255.255.255.0

access-list outside_4_cryptomap extended permit ip NW-Buchholz 255.255.255.0 NW-Martinnet 255.255.255.0

access-list outside_access_in extended permit icmp any any log notifications

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 NW-Buchholz 255.255.255.0

access-list outside_access_in extended permit udp object-group DM_INLINE_NETWORK_2 NW-Buchholz 255.255.255.0

access-list outside_cryptomap_1 extended permit ip NW-Buchholz 255.255.255.0 NW-Muenster 255.255.255.0

access-list outside_cryptomap_2 extended permit ip NW-Buchholz 255.255.255.0 NW-Muenster 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip NW-Buchholz 255.255.255.0 NW-Muenster 255.255.255.0

pager lines 24

logging enable

logging asdm informational

no logging message 302021

no logging message 302020

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool makeIT 192.168.116.100-192.168.116.110 mask 255.255.255.0

ip local pool VPN-Brands-Admin 192.168.117.100-192.168.117.110 mask 255.255.255.0

ip local pool VPN-Brands-GS 192.168.118.100-192.168.118.110 mask 255.255.255.0

ip local pool VPN-Extern 192.168.121.100-192.168.121.110 mask 255.255.255.0

ip local pool VPN-Brands-Sales 192.168.119.100-192.168.119.110 mask 255.255.255.0

ip local pool VPN-Brands-CM 192.168.120.100-192.168.120.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 85.112.230.125 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http NW-Buchholz 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap_2

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer GW-Muenster

crypto map outside_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 43200

crypto map outside_map 1 set security-association lifetime kilobytes 200000

crypto map outside_map 1 set reverse-route

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer GW-Polen

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map 2 set security-association lifetime seconds 2013

crypto map outside_map 2 set security-association lifetime kilobytes 200000

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs group5

crypto map outside_map 3 set peer GW-INTEX

crypto map outside_map 3 set transform-set ESP-AES-128-MD5

crypto map outside_map 3 set security-association lifetime seconds 3600

crypto map outside_map 3 set security-association lifetime kilobytes 200000

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer GW-Martinnet

crypto map outside_map 4 set transform-set ESP-AES-128-MD5

crypto map outside_map 4 set security-association lifetime seconds 3600

crypto map outside_map 4 set security-association lifetime kilobytes 200000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime none

telnet NW-Buchholz 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy Brands-GS internal

group-policy Brands-GS attributes

dns-server value 192.168.115.14 192.168.115.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Brands-GS_splitTunnelAcl

default-domain value brands.local

group-policy Brands-Sales internal

group-policy Brands-Sales attributes

dns-server value 192.168.115.14 192.168.115.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Brands-Sales_splitTunnelAcl

default-domain value brands.local

group-policy Brands-CM internal

group-policy Brands-CM attributes

dns-server value 192.168.115.14 192.168.115.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Brands-CM_splitTunnelAcl

default-domain value brands.local

group-policy Brands-Admin internal

group-policy Brands-Admin attributes

dns-server value 192.168.115.14 192.168.115.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Brands-Admin_splitTunnelAcl

default-domain value brands.local

group-policy DfltGrpPolicy attributes

vpn-filter value Brands-Sales_splitTunnelAcl

vpn-tunnel-protocol IPSec

group-policy makeIT internal

group-policy makeIT attributes

dns-server value 192.168.115.14 192.168.115.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value makeIT_splitTunnelAcl

default-domain value brands.local

group-policy Extern internal

group-policy Extern attributes

dns-server value 192.168.115.14 192.168.115.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Extern_splitTunnelAcl

default-domain value brands.local

username system password gC7MwUUDUbHTlU48 encrypted privilege 15

username makeIT password ZBxNX0An9ytNgYIf encrypted privilege 0

username makeIT attributes

vpn-group-policy makeIT

username s.behrendt password l1rPzoB4p6dBQwin encrypted

username s.behrendt attributes

group-lock value Brands-Sales

service-type remote-access

tunnel-group makeIT type remote-access

tunnel-group makeIT general-attributes

address-pool makeIT

default-group-policy makeIT

tunnel-group makeIT ipsec-attributes

pre-shared-key *

tunnel-group Brands-Admin type remote-access

tunnel-group Brands-Admin general-attributes

address-pool VPN-Brands-Admin

default-group-policy Brands-Admin

tunnel-group Brands-Admin ipsec-attributes

pre-shared-key *

tunnel-group Brands-GS type remote-access

tunnel-group Brands-GS general-attributes

address-pool VPN-Brands-GS

default-group-policy Brands-GS

tunnel-group Brands-GS ipsec-attributes

pre-shared-key *

tunnel-group Brands-Sales type remote-access

tunnel-group Brands-Sales general-attributes

address-pool VPN-Brands-Sales

default-group-policy Brands-Sales

tunnel-group Brands-Sales ipsec-attributes

pre-shared-key *

tunnel-group Brands-CM type remote-access

tunnel-group Brands-CM general-attributes

address-pool VPN-Brands-CM

default-group-policy Brands-CM

tunnel-group Brands-CM ipsec-attributes

pre-shared-key *

tunnel-group Extern type remote-access

tunnel-group Extern general-attributes

address-pool VPN-Extern

default-group-policy Extern

tunnel-group Extern ipsec-attributes

pre-shared-key *

tunnel-group 62.72.79.19x type ipsec-l2l

tunnel-group 62.72.79.19x ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group 213.76.140.22x type ipsec-l2l

tunnel-group 213.76.140.22x ipsec-attributes

pre-shared-key *

tunnel-group 217.146.152.10x type ipsec-l2l

tunnel-group 217.146.152.10x ipsec-attributes

pre-shared-key *

tunnel-group 62.153.136.22x type ipsec-l2l

tunnel-group 62.153.136.22x ipsec-attributes

pre-shared-key *

tunnel-group GW-Muenster type ipsec-l2l

tunnel-group GW-Muenster ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:469d3ac0a382f10168df95e82daf916a

: end

In addition: The problems I have wit NW-Muenster and GW-Muenster. The others have not been tested jet. NAT-T is enabled.

Thanks a lot!

Nadine

Review Cisco Networking for a $25 gift card