Thanks, i modified my

Walter Astori · ‎06-04-2015

Here my VPN Lan To Lan configuration :

object VPNL2L-src
host 192.168.93.164
nat(INSIDE,OUTSIDE) static 10.195.10.164
object network VPNL2L-SRC-NAT
host 10.195.10.164
object network VPNnonat-SRC
host 10.195.10.164
object network VPNL2L-DST
host 10.168.0.85
nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST
nat (INSIDE,OUTSIDE) source static VPNL2L-src VPNL2L-SRC-NAT destination static VPNL2L-DST VPNL2L-DST

The flow show me that the packets go out from my OUTSIDE, but when the packets come in my OUTSIDE there is no flow in VPN traffic.

Andres Villarroel · ‎06-06-2015

Hello Walter,

- Was this flow checked with a packet-tracer? could you share the output with us?

- What's the problem with the tunnel?

Walter Astori · ‎06-08-2015

When i try to ping the destination 10.168.0.85 from my inside host 192.168.93.164 (NAT-SRC to 10.195.10.164) i can see on my ASA this output :

peer address: 78.6.254.7
Crypto map tag: outside_map, seq num: 145, local addr: 94.125.239.251

      access-list VPNL2LCrypto extended permit ip 10.195.10.164 255.255.255.5 10.168.0.85 255.255.255.255
      local ident (addr/mask/prot/port): (10.195.10.164/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.168.0.85/255.255.255.0/0/0)
      current_peer: 78.6.254.7

      #pkts encaps: 380, #pkts encrypt: 380, #pkts digest: 380
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 94.125.239.251/4500, remote crypto endpt.: 78.6.254.7/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 59D2316F
      current inbound spi : 9DC7F1C5

As you can see there are the numbers in the pkts encaps, but there aren't any numbers in pkts decaps. Obviously when the other side try to ping my inside host the other side with the same command see the same output. From this issue i can suppose that in my ASA the packets from other side to my INSIDE there aren't encrypted.

Andres Villarroel · ‎06-08-2015

Hello Walter,

Is the remote end 78.6.254.7 encrypting traffic?

Is this encrypted traffic from the remote end reaching the ASA?

*outside captures can help you answer this question

Is the ASA droping traffic from 10.168.0.85?

*ASP captures can help you answer this question

Walter Astori · ‎06-11-2015

Thanks, i modified my configuration so :

no nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST

After with capture ASP type asp-drop, i see the flow from 10.168.0.85 to 94.125.239.242. I studied the configuration of my ASA and i write the configuration about traffic uncrypted Ip address of inside lan to outside for Internet with the source nat 94.125.239.252 and the vpn is ok. From

nat (INSIDE,OUTSIDE) source dynamic INSIDE-LAN-src INSIDE-LAN-src IP-94.125.239.242 destination static Any-dst Any-dst

To

object-group network INSIDE-INTERNET-OUTSIDE
host 192.168.0.1
nat (INSIDE,OUTSIDE) source dynamic IP-94.125.239.252

Now the vpn is OK. Thanks

VPN Lan To Lan ASA IOS 8.3