Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2190
Views
0
Helpful
3
Replies

ASA 8.4(4) - l2l IPSEC VPN doesn't see interesting traffic unless its via the default route

paul.cummings.uk
Level 1
Level 1

‎03-27-2013 10:05 AM - edited ‎02-21-2020 06:47 PM

Hi,

I'm setting up a simple LAN to LAN IKEv1 VPN between a couple of ASA 5510s.

Using the sample config published in the 8.4 configuration guide I am able to establish a VPN tunnel between the sites, but ONLY if the the default gateway is set on each of the ASAs via the path the tunnel will be taking. It doesn't work if I set static routes on the ASAs which include the peer ASA's outside IP address (I've even tried adding the remote site IP ranges as static routes pointing at the gateway towards the opposite site to see if that would help).

Its a strange one as I wouldn't have expected this behavior. I am not using NAT (or NAT exempt) as I do not believe this should be required with this version of ASA.

I've seen another posting on the forums which seems to be the same issue but their solution seemed to be use a nat exempt to give the ASA the correct egress interface - I've tried the same and it hasn't worked, plus that sounds like it would have been a workaround at best.

FYI - A default route will be used in this system but not between the two sites, hence why I cannot leave it set for the intersite link to get this working.

Any ideas please?

Thanks

Paul

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎03-27-2013 10:28 AM

Hi,

So are you saying that you are doing the L2L VPN on both ASAs on a different link than the actual WAN/Internet?

Have you taken the output of "packet-tracer" on the CLI of the ASAs when you have tested the connections without the default routes?

The NAT configuration requirements depends on your other NAT configurations, even in the new software. If you for example have a Dynamic PAT or Dynamic NAT configured for that interface then you will have to configure the NAT0 / NAT Exempt with the Twice NAT format of the new software. If you dont traffic will possibly match the default Dynamic PAT / NAT rule and therefore not match the actual interesting traffic of the L2L VPN.

Though in your case I dont know if you have any other NAT configurations towards the link doing the L2L VPN. To be honest I have never had the need to configure VPNs out of any other link than the link already holding the default route.

Also without seeing any configurations its hard to check to see any possible problems or even try to reproduce the situation myself.

- Jouni

0 Helpful

paul.cummings.uk
Level 1
Level 1

‎03-27-2013 10:16 PM

Hi Jouni,

Correct, the tunnel is going over a different private wan link than the path (default route) going to the Internet over another interface.

I'm not using any NAT at all in the configuration, no statics or dynamics (not required).

I've simply used the example from the 8.4 configuration guide but I'll paste some sanitized configs on here later with packet traces.

What I tend to find is, as soon as there is a default route on the firewall, the traffic which should match the crypto acl and be sent across the VPN is instead sent unencrypted via the default route. So the tunnel therefore never comes up.
If I make the routes between the Asa's the default route temporarily, then the traffic matches the crypto map, tunnel comes up and traverses ok.
If I remove the default routes altogether then the ASA cannot find an egress interface and drops the traffic.

I'll paste more info and exact messages in a few hours.

Thanks for your reply.

Paul

Sent from Cisco Technical Support iPhone App

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to paul.cummings.uk

‎03-27-2013 11:03 PM

To my understanding, in this cas you should have two static routes:

1. Route towards remote private-subnet, pointing to the address, reachable through interface, connected to your private wan. This route should direct traffic towards that interface and hit proxy-acl (crypto-acl).

2. Route towards remote peer wan ip, also reachable through the interface, connected to your private wan. This route is needed for already encrypted traffic to actually leave the router and be sent to the opposite vpn-peer.

This two routes should have the longest match in the routing table of the ASA and be chosen to VPN-tunnel establishment.

You said that you've already tried this, and if u did all correct, i don't understand why didn't it work. Are those two ASAs directly connected? If not, did you configure static route to point to opposite ASAs WAN IP, or to device, directly connected to outside interface of the ASA?

Plus, as said above, you shouldn't have situation, where any nat rule directs traffic towards your internet-connected interface, where default route is set.

0 Helpful
Customers Also Viewed These Support Documents