Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
1
Replies

Dynamic Router to Static ASA tunnel is up not sending traffic

chrisbuchner
Level 1
Level 1

‎02-23-2021 10:47 AM - edited ‎02-23-2021 10:48 AM

Hi All,

I have a 4321 router with dynamic LTE IP and 5506X ASA with static IP. I have the tunnel up but for the life of me cant get the combination right for the traffic to pass.

 

ASA side has other networks behind it that needs to be reached by the Router.

 

OTHER-NETWORKS<----INSIDEINTERFACE---->STATIC-ASA <-----Internet----->DYNAMIC-ROUTER

 

ASA:

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: REMOTE_DYNAMIC_IP
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

 

 

object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 172.160.0.0 255.240.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object object obj_any

 

object-group network MANNHEIM_WH_NETWORKS
network-object 10.170.124.160 255.255.255.224

 

access-list MANNHEIM_WH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group MANNHEIM_WH_NETWORKS

 

nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static MANNHEIM_WH_NETWORKS MANNHEIM_WH_NETWORKS route-lookup

 

crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 1 match address MANNHEIM_WH_VPN_ACL <---- is this okay?
crypto dynamic-map dynmap 1 set ikev1 transform-set tset
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap

crypto map dyn-map interface outside

 

Router:

 

ip access-list extended CMAP_ACL
permit ip 10.170.124.160 0.0.0.31 10.0.0.0 0.255.255.255
permit ip 10.170.124.160 0.0.0.31 172.160.0.0 0.15.255.255
permit ip 10.170.124.160 0.0.0.31 172.16.0.0 0.15.255.255
permit ip 10.170.124.160 0.0.0.31 192.168.0.0 0.0.255.255
permit ip 10.170.124.160 0.0.0.31 any


ACL is added to the crypto map which is added to the interface.

 

What am I missing!

 

Labels:
0 Helpful
1 Reply 1

Sheraz.Salim
VIP
VIP

‎02-23-2021 10:58 AM - edited ‎02-23-2021 11:01 AM

try this.

crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset
crypto dynamic-map outside_dyn_map 1 set reverse-route 
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside 
crypto ikev1 enable outside

 and here  this will clear your understanding

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents