I have a site-2-site VPN tunnel setup. I appear to be getting one way traffic, because I get deencap, but not encaps. After looking at the packet tracer I see that the Phase3 step of NATing is using the wrong nat statement. I believe that using the nat (any,outside) after-auto source dynamic any interface, cmd will force the dynamic statement to be chosen last. I know there's an order of operation when it comes to NAT, but I assumed the most specific would always be chosen first. Could someone throw a clue my way if they think this cmd would do the trick? nat (inside,outside) source static AAA AAA destination static 102 102 no-proxy-arp route-lookup nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-www OBJ-TCP-www nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-3389 OBJ-TCP-3389 nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-smtp OBJ-TCP-smtp nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-imap4 OBJ-TCP-imap4 nat (any,outside) source dynamic any interface packet-tracer input inside icmp 192.168.149.2 8 0 10.40.0.20 Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop x.x.x.x using egress ifc outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (any,outside) source dynamic any interface Additional Information: Dynamic translate 192.168.149.2/0 to 100.100.100.100/42129 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (any,outside) source dynamic any interface Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 22188, packet dispatched to next module Result: output-interface: outside output-status: up output-line-status: up Action: allow
... View more
Did you ever find a permanent solution for this issue? I have a 5540 ASA code 9.1(7.16) that is experiencing duplicate sa entries in the asp tables. The only thing I can do is run the "clear crypto ipsec sa inactive" cmd to clear the duplicate sa.
... View more
Could you tell me a little more about the FlexConnect ACL that needs to be applied to I need to Deny any traffic to send it local vs over CAPWAP? Do I need to permit all traffic to allow it to be forced locally only?
FlexConnect and Splitunnel Info from article
FlexConnect ACL can be created with rules in order to permit all of the devices present at the local site/network. When packets from a wireless client on the Corporate SSID match the rules in the FlexConnect ACL configured on OEAP, that traffic is switched locally and the rest of the traffic (that is, implicit deny traffic) will switch centrally over CAPWAP.
The Split Tunneling solution assumes that the subnet/VLAN associated with a client in the central site is not present in the local site (that is, traffic for clients that receive an IP address from the subnet present on the central site will not be able to switch locally).
The Split Tunneling functionality is designed to switch traffic locally for subnets that belong to the local site in order to avoid WAN bandwidth consumption. Traffic that matches the FlexConnect ACL rules are switched locally, and NAT operation is performed changing the client’s source IP address to the FlexConnect AP’s interface IP address that is route-able at the local site/network.
FlexConnect ACL Summary
Create FlexConnect ACL on the controller.
Apply the same on a VLAN present on FlexConnect AP under AP Level VLAN ACL mapping.
Can be applied on a VLAN present in FlexConnect Group under VLAN-ACL mapping (generally done for AAA overridden VLANs.
While applying ACL on VLAN, select the direction to be applied: ingress, egress, or ingress and egress.
Split Tunnel Summary
The Split Tunneling functionality is supported on WLANs configured for central switching advertised by FlexConnect APs only.
The DHCP required should be enabled on WLANs configured for Split Tunneling.
The Split Tunneling configuration is applied per WLAN configured for central switching on a per FlexConnect AP basis or for all of the FlexConnect APs in a FlexConnect Group.
Split Tunnel Limitations
FlexConnect ACL rules should not be configured with permit/deny statement with same subnet as source and destination.
Traffic on a centrally-switched WLAN configured for Split Tunneling can be switched locally only when a wireless client initiates traffic for a host present on the local site. If traffic is initiated by clients/host on a local site for wireless clients on these configured WLANs, the traffic will not be able to reach the destination.
Split Tunneling is not supported for Multicast/Broadcast traffic. Multicast/Broadcast traffic will switch centrally even if it matches the FlexConnect ACL.
... View more
I have a 5508 WLC Controller ver 8.1 back at the Central Office and 4 3702 AP's at a branch office that connect back to the WLC via Centrally switched config, where all data is tunnel through CAPWAP over a VPN connection back to the Central Office and then routed through the WLC.
This seems to be killing my wireless performance for Internet, so I want the AP's to be able to route all local traffic not destined for 192.168.0.0 255.255.0.0 out locally through the Branch Offices Internet. Is it possible to tell my AP's at the Branch Office to only route 192.168.0.0/16 traffic through CAPWAP via WLC and send everything else out locally? If not is it possible to tell all traffic to switch locally and then just allow the Branch offices routing and switching to control traffic?
I believe I should be able to do this by placing the AP in Flex Connect mode and then applying a permit any any Flex Connect ACL to the AP. But I want to know if this would be the right solution.
The 2 diagrams should help paint the picture of what I am trying to accomplish. In the scenario below, the 172.16.100.0/24 network is back at the corporate office, but the Client device still gets a 172.16.100.0 IP address. The Client should not have to go through the CAPWAP tunnel to get to 192.168.1.100 since it's apart of the local network at the Clients actual location, and same goes for the Internet. The Client should be able to go out it's own internet without having to route via CAPWAP through the WLC back at the Central Office.
... View more
The power output on the 3750X switch is 30W, and the requirement for a Cisco 3802 Access Point is 30W. Will the Cisco 3750X be able to provide enough power to the access point or will I need to move to a 3850 switch, which provides 60W of power, to be able to power a Cisco 3802 AP?
... View more
Thank you for answering my question. This is exactly what I needed to know. What started this whole mess was that someone ordered the wrong license on the switch. What led to changing to changing back to the LAN base license, was the fact that we could no longer purchase a 3750X license since it was EOSale and EOLife. I basically just lucked out on being able to get a temp license for it. The alternate solutions is to put in a 3560X switch, which has a IP base license, and then just trunk the connection from the 3560X switch to the 3750X.
... View more