11-11-2010 07:03 AM
Hello everybody out there using ASA.
I had some VPN IPSEC tunnels between the company central site and remote sites.
Two dsl lines were connected to the ASA, one for VPN traffic and the other one for internet.
The default gateway was configured on internet line, while some statics routes assured that traffic toward company sites was sent trough the other line.
Some days ago we changed ASA configuration in order to use only one dsl connection, then the line that was used for internet was disconnected, while the other one became the default gateway and static routes were deleted.
From that moment VPN connections stopped working and when trying to send packet to remote lan, it seems like ASA don't recognise that traffic to be encrypted. Obviousely we checked cryptomap, acl, ecc, but we can't find any trouble.... do you have any suggestions?
Thanks in advance,
Matt
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
object network XNetwork
subnet 10.10.0.0 255.255.255.0
object network YNetwork
subnet 172.0.1.0 255.255.255.0
crypto map RB1ITSHDSL001_map2 1 match address RB1ITSHDSL001_1_cryptomap
crypto map RB1ITSHDSL001_map2 1 set peer a.b.c.186
crypto map RB1ITSHDSL001_map2 1 set transform-set ESP-3DES-SHA
access-list RB1ITSHDSL001_1_cryptomap extended permit ip object XNetwork object YNetwork
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Solved! Go to Solution.
11-11-2010 07:58 AM
Hi,
From your output the ASA should be encrypting traffic between XNetwork and YNetwork.
If the ASA is not encrypting this traffic it could be because there's a problem with NAT configuration.
When the ASA receives a packet, it will first check if there are ACLs that allow the traffic, pass it through inspection engines and check the NAT associated to it. If for example the packet is being NATed, then the encryption from the private IP will never take place.
Could you make sure that the packets from the XNetwork are really reaching the ASA, that the NAT rule is correct and perhaps looking for ''debug cry isa 127'' and ''debug cry ips 127'' to check for mismatch errors.
Also, what is the state of the tunnel when trying to communicate: ''sh cry isa sa''
Federico.
11-11-2010 07:58 AM
can you post the full configuration?
Per your description, routing should be good, I think it might be NAT issue.
You probably added some NAT/Global command which would NAT the vpn traffic. If this is the case, you just need to add NAT 0 to exclude the vpn traffic from NAT.
11-11-2010 07:58 AM
Hi,
From your output the ASA should be encrypting traffic between XNetwork and YNetwork.
If the ASA is not encrypting this traffic it could be because there's a problem with NAT configuration.
When the ASA receives a packet, it will first check if there are ACLs that allow the traffic, pass it through inspection engines and check the NAT associated to it. If for example the packet is being NATed, then the encryption from the private IP will never take place.
Could you make sure that the packets from the XNetwork are really reaching the ASA, that the NAT rule is correct and perhaps looking for ''debug cry isa 127'' and ''debug cry ips 127'' to check for mismatch errors.
Also, what is the state of the tunnel when trying to communicate: ''sh cry isa sa''
Federico.
11-11-2010 07:58 AM
can you post the full configuration?
Per your description, routing should be good, I think it might be NAT issue.
You probably added some NAT/Global command which would NAT the vpn traffic. If this is the case, you just need to add NAT 0 to exclude the vpn traffic from NAT.
11-11-2010 10:08 AM
You both were right, the problem was in nat configuration.
The change of routing affected the nat rule control.
Now the route is unique and I found that in nat list the "internet nat" rule was listed first than the "vpn nat", so traffic was natted to the outside world rather than encrypted. Putting the "vpn nat" rule first resolved my problem.
Thank you very much, for your help!
Best regards,
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide