06-07-2007 02:06 PM
I have a new ASA 5520 running 7.2 that has a tunnel to a Concentrator 3030. The tunnel comes up fine, but I only see data being transmitted from the ASA and not received. The concentrator show both recieved and transmitted data. The data is originating from the ASA.
The topology is very simple for the ASA Internet -> ASA -> Private network.
The tunnel comes up right away and sends traffic, but doesn't even see it on the come back on the outside interface.
06-08-2007 02:16 AM
Plz check if your ASA contains following command.
sysopt connection permit-ipsec.
If the problem still exists, post the config file of ASA if possible.
--Jaffer
06-08-2007 05:54 AM
As Jaffer said,
Check that and also make sure you have NAT exempt configured properly.
Thanks
Gilbert
06-08-2007 11:57 AM
Ok. I found my problem. Since I couldn't use my private IP's on the other side of the tunnel, I couldn't use NAT exempt.
I had to setup Static NAT's for my private IP's to a dedicate public IP. I then setup an ACL that used those public IPs as interesting traffic for the tunnel. I had the vendor change his interesting traffic from my outside interface to the new public IP's. Since the tunnel had to be bi-directional I had to setup a seperate public for each private, but I'm going to change that in the future to be a one-way initiated tunnel so that I can policy NAT the privates to one public.
Thanks for all your help.
06-08-2007 10:16 AM
I had to cut some of the config out, but here it is. I think the problem may be that I don't have the NAT'ing for it setup correctly.
I cannot exempt the traffic because it overlaps with the private network on the other side of the tunnel. So we removed the exempt rule and it sends the traffic through the tunnel, but I'm not seeing it come back. The other side sees the traffic come in and leave. I believe the private address is being PAT'd using the outside interface.
06-08-2007 12:14 PM
So from your inside, you are attempting to hit 4.4.6.1 and 4.4.5.1? If so, the far end would also have to NOT nat exempt.
Not sure about this but you may want to add crypto isakmp nat-traversal. Also, are you running "no sysopt conn permit-vpn"?
06-08-2007 12:39 PM
Your assumption is correct. I found my problem and documented it to another reply.
Basically what I had done was removed the NAT exempt because the other side can only tunnel with Public IP's.
What I didn't do was create a Static NAT for my private IP's. So I created two Static NAT's for the two private IP's that need to use the tunnel. I then changed my interesting traffic to the two Pulic IP's in the NAT statements. The other side then had to change it's interesting traffic to my new Public IP's and it started working.
Since the tunnel needs to be bi-directional I am currently stuck with adding a Static NAT for each device that needs to use the tunnel. I'm looking into fixing the app so that it can be a one-way tunnel and I an policy NAT multiple private IP's to one Public IP. Not sure if this will ever happen.
Thanks for the help.
06-08-2007 12:48 PM
Good to know, I wonder why it didn't work with PAT?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide