02-11-2022 01:34 AM
Hello everyone,
We have IPSec site-to-site VPN between Cisco router and Cisco ASA. ASA have static ip, and router have dynamic public IP. When i run show crypto ipsec sa i see that packets on ASA is deencapsulated, but not encapsulated when going back.
Does anyone know any solution for this problem?
Thanks
Solved! Go to Solution.
02-11-2022 02:09 AM
@mirza.dzafic1 not enough information. The VPN filter is configured under the group policy (which is associated to the tunnel group), using the command syntax "vpn-filter value XXXXX" <<< look for this command in your configuration. Remove it or amend the associated ACL to permit the traffic.
02-11-2022 01:38 AM
@mirza.dzafic1 possibly a NAT issue, do you have a NAT exemption rule between the local and remote VPN networks to ensure traffic is not unintentially translated?
Example:
object network LOCAL
subnet 20.1.1.0 255.255.255.0
object network REMOTE
subnet 10.1.1.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static LOCAL LOCAL destination static REMOTE REMOTE
02-11-2022 01:40 AM
Hello @Rob Ingram
Yes i have NAT exemption rule between ASA local network and Cisco router local network.
02-11-2022 01:42 AM
@mirza.dzafic1 ok, from the ASA run packet-tracer from the CLI to simulate the traffic flow - provide the output for review.
Provide the output of "show nat detail".
02-11-2022 01:53 AM - edited 02-11-2022 05:52 AM
@Rob Ingram i attached requested file.
02-11-2022 01:56 AM
@mirza.dzafic1 have you got a VPN Filter configured?
Phase: 10
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Provide your configuration if unsure.
02-11-2022 02:03 AM
i am not sure about vpn filer, but i didnt configure it. i attached the configuration for vpn on cisco asa side
02-11-2022 02:09 AM
@mirza.dzafic1 not enough information. The VPN filter is configured under the group policy (which is associated to the tunnel group), using the command syntax "vpn-filter value XXXXX" <<< look for this command in your configuration. Remove it or amend the associated ACL to permit the traffic.
02-11-2022 02:30 AM
Hi Rob. Thanks for detailed instruction. tunnel-group DefaultL2LGroup had a group policy, and in that group policy was vpn filter.I removed vpn-filter and it seems now it is everything ok.
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide