Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2782
Views
0
Helpful
10
Replies

Traffic flow Through Site to Site VPN

Go to solution
guillermo.gonzalez@arcait.es
Level 1
Level 1

‎11-17-2018 03:36 AM - edited ‎02-21-2020 08:28 AM

Hi team,

I've an Cisco ASA 5520, here is the show version summary:

 

Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.3(1)101

Compiled on Wed 28-Nov-12 10:38 by builders
System image file is "disk0:/asa911-k8.bin"

All were working fine, until we desided to migrate all our vpn site to site to a new FTTH ISP line attached to another cisco asa interface
The VPNs are well established and traffic from remote office goes inside the tunnel but the asa doesnt return it. Playing with the nat exemptions and his orders in the Cisco ASA, sometimes it work but I cant understand its behavior

 

I paste the acl config from cisco router in the remote office:


Extended IP access list 100
10 permit ip 172.20.72.0 0.0.0.255 10.0.0.0 0.255.255.255
20 permit ip 172.20.72.0 0.0.0.255 172.20.10.0 0.0.0.255
30 permit ip 172.20.72.0 0.0.0.255 172.20.1.0 0.0.0.255 (15774 matches)
40 permit ip 172.20.72.0 0.0.0.255 172.20.20.0 0.0.0.255 (892 matches)
50 permit ip 172.20.72.0 0.0.0.255 172.20.100.0 0.0.0.255 (50 matches)

As you will see, the ping only work with one of the network:

Router#ping 172.20.1.240 source 172.20.72.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.240, timeout is 2 seconds:
Packet sent with a source address of 172.20.72.1
!!!!!

Router#ping 172.20.100.10 source 172.20.72.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.100.10, timeout is 2 seconds:
Packet sent with a source address of 172.20.72.1
.....
Success rate is 0 percent (0/5)
Router#ping 172.20.20.26 source 172.20.72.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.20.26, timeout is 2 seconds:
Packet sent with a source address of 172.20.72.1
.....
Success rate is 0 percent (0/5)

 

Here the # show crypto ipsec sa detail showing that taffic is going through the tunnel

 

local ident (addr/mask/prot/port): (172.20.72.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.20.100.0/255.255.255.0/0/0)
current_peer 81.43.119.81 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 31, #pkts encrypt: 31, #pkts digest: 31
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0


For this subnet is working:

protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.72.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.20.1.0/255.255.255.0/0/0)
current_peer 81.43.119.81 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9639, #pkts encrypt: 9639, #pkts digest: 9639
#pkts decaps: 4192, #pkts decrypt: 4192, #pkts verify: 4192
#pkts compressed: 0, #pkts decompressed: 0

 

local ident (addr/mask/prot/port): (172.20.72.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.20.20.0/255.255.255.0/0/0)
current_peer 81.43.119.81 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0

 

Find attached the screen capture form ASDM of NAT rules exemptions.

 

I will apreciate any help

Thanks in advance

 

 

Preview file
148 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
guillermo.gonzalez@arcait.es
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2018 11:23 AM

Hi Marius,


I tested both options, with and without NAT Traversal enable, with the same result, the traffic desn`t were crossing the Firewall.

I solve the issue doing a reload of both pair of Cisco ASA. After that, all start working as expected.

 

Thank you all for the help



View solution in original post

0 Helpful
10 Replies 10

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-17-2018 04:36 AM

hi,
Can you share the ASA running config.

HTH
Abheesh
0 Helpful

Go to solution
guillermo.gonzalez@arcait.es
Level 1
Level 1
In response to Abheesh Kumar

‎11-17-2018 05:22 AM

Hi Abheesh,

 

Thanks for your response,

 

Here is the running ASA config

 

 

Preview file
161 KB
0 Helpful

Go to solution
mls577
Level 1
Level 1
In response to guillermo.gonzalez@arcait.es

‎11-17-2018 03:50 PM

I took a look at your config, and nothing is sticking out.

 

Can you run packet tracer from  interface dmz_publica from 172.20.100.10  to 172.20.72.1, and post the output. 

0 Helpful

Go to solution
guillermo.gonzalez@arcait.es
Level 1
Level 1
In response to mls577

‎11-18-2018 01:15 AM

Hi mls577,

 

I've done the packet tracer in both ways and it seems to work, find attached the screen capture from ASDM

Is it typical that the firewall is lost for some reason, and maybe need a restart?

The issue is only the FTTH VPN interface, I also can't find anything wrong in the configuration

 

Thanks for your help

Preview file
73 KB
Preview file
75 KB
0 Helpful

Go to solution
mls577
Level 1
Level 1
In response to guillermo.gonzalez@arcait.es

‎11-19-2018 09:37 PM

guillermo.gonzalez@arcait.es wrote:

Hi mls577,

 

I've done the packet tracer in both ways and it seems to work, find attached the screen capture from ASDM

Is it typical that the firewall is lost for some reason, and maybe need a restart?

The issue is only the FTTH VPN interface, I also can't find anything wrong in the configuration

 

Thanks for your help

Can you do it through command line, and post the output. Alternatively you could still use asdm, but you'll need to take screenshots of the details (hidden in your current pictures).

0 Helpful

Go to solution
guillermo.gonzalez@arcait.es
Level 1
Level 1
In response to mls577

‎11-20-2018 01:09 AM

Hi mls577,

 

Here is the packet tracer details from cli, find file attached.

 

Thnaks

Preview file
3 KB
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎11-18-2018 08:05 AM

I am assuming that there is another device doing NAT to a public IP for traffic leaving the FTTH_VPN interface since this interface has a private IP address of 172.20.250.254.  If this is the case then your problem is that you have disabled NAT traversal on the VPN.  I would suggest removing this command and testing again.

 

crypto map FTTH_VPN_map 3 set nat-t-disable

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
guillermo.gonzalez@arcait.es
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2018 11:23 AM

Hi Marius,


I tested both options, with and without NAT Traversal enable, with the same result, the traffic desn`t were crossing the Firewall.

I solve the issue doing a reload of both pair of Cisco ASA. After that, all start working as expected.

 

Thank you all for the help



0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎11-18-2018 08:54 AM

By the look of the IP on your FTTH_VPN interface there is another device that is doing NAT to a public IP and you have disabled NAT traversal on the FFTH_VPN_map.  Remove the following command and test again.

 

crypto map FTTH_VPN_map 3 set nat-t-disable

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎11-18-2018 09:13 AM

From the look of the IP you have on your FTTH_VPN interface I am assuming there is another device that does NAT to a public IP.  In this case you have disabled NAT traversal on the VPN so I would suggest removing the following command and testing again.

crypto map FTTH_VPN_map 3 set nat-t-disable

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card