Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7332
Views
35
Helpful
16
Replies

IPSEC Tunnel only works one way

Go to solution
JamesS4
Level 1
Level 1

‎06-20-2019 09:41 AM - edited ‎06-20-2019 09:42 AM

Hi All,

Having issue with IPSEC tunnel.  I only control our side, other side is vendor side.

 

If we initiate connection to them (e.g. telnet) we can connect and pass traffic with no issue.  If they try to telnet to us, they get timeout.  they say that the traffic is going through the tunnel, but they are not getting any return traffic.  I suspect either 1) we are missing a route, or 2) we are missing some kind of config wrt NAT.  I have attached a sanitized version of our config. 

 

We have IPSEC tunnel on outside Internet interface GI0/0/0 from our public address 38.38.38.98 to vendor side 198.198.4.38, which is working fine.

 

We can successfully connect (e.g. telnet) from our server 10.10.10.50 on inside interface GI0/1/2 across the tunnel to target host 198.198.4.51.

 

But 198.198.4.51 cannot initiate a telnet connection to 10.10.10.50.

 

Any obvious reason why?  Thank you! 

 

Labels:
Preview file
3 KB
0 Helpful
16 Replies 16

Go to solution
JamesS4
Level 1
Level 1
In response to Giuseppe Larosa

‎06-25-2019 09:07 AM

Gisueppe, Rick,

 

This is resolved.  It was as simple as changing the port.

 

Forgive the late reply but was awaiting the vendor side to make firewall change on their side and then test connection and confirm.

 

The takeaways here are:

 

1) I never stated at any point that the vendor was telneting to port 30001 -- this was a critical piece of information I omitted.

 

2) I had the idea that NAT port forwarding was concerned only with inbound connections, and only relevant to anything targeting the outside IP and port.  My assumption was that since they were targeting 10.10.10.50, the static NAT entry ip nat inside source static tcp 10.10.10.50 30001 38.38.38.98 30001 extendable would be ignored.  This turned out not to be the case for outbound traffic from inside to outside interface.

 

3) as Rick stated:

- packet capture on Gig0/0/0 should not see any traffic with your host source address or the telnet remote address. At the interface the telnet would be inside an encrypted ESP packet. I think packet capture on the vlan would be more productive.

This while true, was still helpful and revealing.  That we DID see traffic where we should NOT was a good indicator for where the problem was.

 

4) sh ip nat trans was similarly also very useful in that we should NOT have had entries for 10.10.10.50:30001, but we did..

 

Thanks very much to you both for taking the time look at my configs and provide lots of expert insight.

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to JamesS4

‎06-25-2019 09:13 AM

Hello James,

it was a very interesting issue.

I am happy we have found the only possible reason for the strange behaviour.

The show ip nat translations was the key to understand that the other side was attempting to telnet to port 30001 on 10.10.10.50 and to explain the out of VPN packets.

 

Best Regards

Giuseppe

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card