cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

103
Views
0
Helpful
4
Replies
Highlighted
Beginner

VPN Lan To Lan ASA IOS 8.3

Here my VPN Lan To Lan configuration :

object VPNL2L-src
  host 192.168.93.164
  nat(INSIDE,OUTSIDE) static 10.195.10.164
object network VPNL2L-SRC-NAT
  host 10.195.10.164
object network VPNnonat-SRC
  host 10.195.10.164
object network VPNL2L-DST
  host 10.168.0.85
nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST
nat (INSIDE,OUTSIDE) source static VPNL2L-src VPNL2L-SRC-NAT destination static VPNL2L-DST VPNL2L-DST
 

The flow show me that the packets go out from my OUTSIDE, but when the packets come in my OUTSIDE there is no flow in VPN traffic.

 

4 REPLIES 4

Hello Walter,  - Was this

Hello Walter, 

 

- Was this flow checked with a packet-tracer? could you share the output with us?

- What's the problem with the tunnel?

Beginner

When i try to ping the

When i try to ping the destination 10.168.0.85 from my inside host 192.168.93.164 (NAT-SRC to 10.195.10.164) i can see on my ASA this output :

peer address: 78.6.254.7
    Crypto map tag: outside_map, seq num: 145, local addr: 94.125.239.251

      access-list VPNL2LCrypto extended permit ip 10.195.10.164 255.255.255.5 10.168.0.85 255.255.255.255
      local ident (addr/mask/prot/port): (10.195.10.164/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.168.0.85/255.255.255.0/0/0)
      current_peer: 78.6.254.7

      #pkts encaps: 380, #pkts encrypt: 380, #pkts digest: 380
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 94.125.239.251/4500, remote crypto endpt.: 78.6.254.7/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 59D2316F
      current inbound spi : 9DC7F1C5

 

As you can see there are the numbers in the pkts encaps, but there aren't any numbers in pkts decaps. Obviously when the other side try to ping my inside host the other side with the same command see the same output. From this issue i can suppose that in my ASA the packets from other side to my INSIDE there aren't encrypted.

 

Hello Walter,  Is the remote

Hello Walter, 

 

Is the remote end 78.6.254.7 encrypting traffic?

Is this encrypted traffic from the remote end reaching the ASA? 

   *outside captures can help you answer this question

Is the ASA droping traffic from 10.168.0.85?

   *ASP captures can help you answer this question

Beginner

Thanks, i modified my

Thanks, i modified my configuration so :

no nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST

After with capture ASP type asp-drop, i see the flow from 10.168.0.85 to 94.125.239.242. I studied the configuration of my ASA and i write the configuration about traffic uncrypted Ip address of inside lan to outside for Internet with the source nat 94.125.239.252 and the vpn is ok. From

nat (INSIDE,OUTSIDE) source dynamic INSIDE-LAN-src INSIDE-LAN-src IP-94.125.239.242 destination static Any-dst Any-dst

To

object-group network INSIDE-INTERNET-OUTSIDE
 host 192.168.0.1
nat (INSIDE,OUTSIDE) source dynamic IP-94.125.239.252

Now the vpn is OK. Thanks
 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here