Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
0
Helpful
2
Replies

Client w/2 ISP - NAT not working - ASA 9.1

Legend Films
Level 1
Level 1

‎01-09-2015 12:08 PM

We have a customer with 2 ISPs and wants to create a failover VPN solution.

In our ASA 5550, we've been able to create tunnel connections using both the primary and secondary IPs.  It seems the packets are getting dropped in NAT when the second connection is active.  I've run a packet capture and can see packets being received by the inside interface, but no packets on the outside interface.

Naturally there is no activity on the other side. 

When the primary IP is up, everything works as planned.  Posting here to see if anyone has an idea what I'm overlooking. 

tunnel-group CLIENT_PRIMARY_IP type ipsec-l2l
tunnel-group CLIENT_PRIMARY_IP general-attributes
 default-group-policy GroupPolicy_CLIENT_PRIMARY_IP
tunnel-group CLIENT_PRIMARY_IP ipsec-attributes
 ikev1 pre-shared-key *****

tunnel-group CLIENT_SECONDARY_IP type ipsec-l2l
tunnel-group CLIENT_SECONDARY_IP general-attributes
 default-group-policy GroupPolicy_CLIENT_PRIMARY_IP
tunnel-group CLIENT_SECONDARY_IP ipsec-attributes
 ikev1 pre-shared-key *****

crypto map outside_map 10 match address outside_cryptomap_2
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer CLIENT_PRIMARY_IP CLIENT_SECONDARY_IP
crypto map outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 set security-association lifetime kilobytes unlimited

group-policy GroupPolicy_CLIENT_PRIMARY_IP internal
group-policy GroupPolicy_CLIENT_PRIMARY_IP attributes
 vpn-idle-timeout none
 vpn-filter value psi_acl
 vpn-tunnel-protocol ikev1

access-list outside_cryptomap_2 extended permit ip object-group A_LOCAL_NETWORK object DEST_NETWORK_OBJ

access-list psi_acl extended permit icmp object-group A_DEST_NETWORK any
access-list psi_acl extended permit tcp object-group A_DEST_NETWORK object LOCAL_SERVER_DMZ3

nat (DMZ3,outside) source static A_LOCAL_NETWORK A_LOCAL_NETWORK destination static A_DEST_NETWORK A_DEST_NETWORK no-proxy-arp route-lookup

 

Labels:
0 Helpful
2 Replies 2

Legend Films
Level 1
Level 1

‎01-09-2015 12:15 PM

Please note, they have two ISPs, we do not.

0 Helpful

Legend Films
Level 1
Level 1

‎01-09-2015 12:39 PM

I realize I didn't post the interface access-lists.  I don't think there is a problem here, since it works with the primary and there is DENY notice in the syslog

access-list DMZ3_access_in extended permit icmp DMZ3_NETWORK DMZ3_NETMASK any

access-list outside_access extended permit icmp object-group A_DEST_NETWORK object LOCAL_SERVER_DMZ3 log debugging
access-list outside_access extended permit tcp object-group A_DEST_NETWORK object LOCAL_SERVER_DMZ3 object-group TCP_SERVICE_GROUP

0 Helpful
Customers Also Viewed These Support Documents