Thank you for the time Jose,

Let me first admit I am making most of the changes/configs using ASDM. Here is the NAT config

global (outside) 1 interface

nat (outside) 1 10.20.12.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

10.20.12.0 - is the L2TP VPN DHCP pool

As for the logs I see a lot of other informational messages but that is the only one I see that pertains to the VPN. and here is the log that i see in detail

5          Nov 06 2011          22:52:32          305013          10.20.2.249          9100                              Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.20.10.10/3727 dst inside:10.20.2.249/9100 denied due to NAT reverse path failure

I ran the Packet Tracer in ASDM and I think you meant the src ip to be 10.20.2.20:1111 to destination 10.20.10.66:80

and the result shows as "The packet is allowed"

Hello Manjitriat,

Can you post the following commands:

-Show run route

Do a packet tracer and then give us:

-Show crypto Isakamp SA

-Show crypto Ipsec SA

Regards,

Julio

Hi Julio,

I finally figured out some of the issues. Running packet tracer showed the traffic going over VPN was getting NAT'd. The NAT exempt policy entered through ASDM does show up in the running config but they have no effect. I had to login through SSH and retype the exempt rule. I knew something was wrong since when I entered that command I didn't get a error saying the rule already exist.

Running the packet tracer again showed the VPN now getting exempt but it was getting blocked by an access rule even though I had entered a rule allowing IP traffic from 10.20.10.0 to 10.20.2.0 on the outside interface. So like before I logged into SSH and retyped the rule and didn't get an error saying the rule already exists. So I knew there was an issue and re-ran the packet tracer and the packets are showing passed through both (except for the one inbound as it says IPSEC spoof detected which I believe is normal).

What could I do next to figure out what the issue is?

Julio,

The packet tracer with the above settings shows the packet is allowed.

#Show crypto Isakmp SA

1  IKE Peer: y.y.y.y

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

#Show crypto ipsec SA

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (10.20.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)

      current_peer: y.y.y.y

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 44738, #pkts decrypt: 44741, #pkts verify: 44741

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: B486B4E8

      current inbound spi : 2E8B3062

    inbound esp sas:

      spi: 0x2E8B3062 (780873826)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 50290688, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 19452

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xB486B4E8 (3028727016)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 50290688, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 19446

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Hello Manjitriat,

Seems like the configuration is the one required, as you can see the status of the vpn tunnel is active.

I would definetly recommend you to check the configuration on both sides regarding the encryption, authentication,etc, this to  confirm both devices has the same settings because as I can tell you the configuration on this one is fine,

Regards,

Julio

Julio,

Thank you for the reply. I am completely at a loss here too but have found something interesting. On the Sonicwall I saw the counters show a bunch of packets sent and nothing recieved so I logged into ASDM and viewed the VPN tunnel properties and it shows the same a bunch of packets but 0 sent. So looks like the ASA is recieving traffic from the Sonicwall over the tunnel but not routing any traffic over the VPN tunnel back to the Sonicwall and possibly sending it somewhere else.

Hello Manji,

If you do a show run route, do you see one that matches the destination (could be a default route 0.0.0.0 0.0.0.0)

Are you able to see that?

Also can you send me the output of :

show run access-group

show run access-list

Regards,

Julio

On the show run route I don't see a route to the remote network and so yes it might be just on the default

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

#show run access-group is blank

#show run access-list

access-list outside_access_in extended permit ip 10.20.10.0 255.255.255.0 10.20.2.0 255.255.255.0

access-list nonat extended permit ip 10.20.2.0 255.255.255.0 10.20.12.0 255.255.255.0

access-list nonat extended permit ip 10.20.4.0 255.255.255.0 10.20.12.0 255.255.255.0

access-list nonat extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0

Hello Manjitriat,

1-Do you have the ICMP inspect enable over your policy_global?? If not please add it

2-Can you try to ping from one internal host to another host behind the sonic firewall, Afterwards take a show crypto isakamp sa and ipsec sa

Regards,

Julio

Yes inspect icmp is enabled in global_policy

The ping requests time out (The only ping that works is when I ping from the remote side to the ASA internal IP address, no other pings from either side work)

#show crypto isakmp sa

1   IKE Peer: x.x.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

#show crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

      access-list outside_2_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.20.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)

      current_peer: y.y.y.y

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 39543, #pkts decrypt: 39543, #pkts verify: 39543

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 0ED0F897

      current inbound spi : 596CCE6F

    inbound esp sas:

      spi: 0x596CCE6F (1500302959)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 50327552, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 7440

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x0ED0F897 (248576151)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 50327552, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 7440

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Julio,

This issue has been resolved. Didn't realize there was a static route added on a Layer 3 switch behind the ASA. Deleted that route and everything seems to be working fine.

Thank you for you help

Hello Manjitriat,

Good to know, so as we suspected everything was perfect on the ASA.

Hope you have a great day.

Julio