Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
1
Replies

EasyVPN using an ASA5505 and 5510- Traffic issues

gregwoodson
Level 1
Level 1

‎07-20-2015 06:20 AM

I have an ASA 5505 connecting in via EasyVPN to an ASA 5510.  The tunnel comes up (both ISAKMP and IPSEC create a security association)- traffic is not flowing both ways.  If I ping from the network with the hub (5510)- I can ping a node on the remote network (5505) side.  If I ping the other way around- I cannot ping devices on the hub network.  Here is the relevant configs:

 

ASA5510:

crypto dynamic-map dynmap 10 set transform-set 3des-md5 3des-sha des-md5 des-sha aes-256-md5
crypto dynamic-map dynmap 10 set reverse-route

crypto map VPN 20 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
crypto isakmp identity address 
crypto isakmp enable outside 

crypto isakmp policy 73
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000 

 group-policy MPEZvpn internal
group-policy MPEZvpn attributes
 dns-server value 192.168.36.2 192.168.253.3
 dhcp-network-scope 172.16.64.0
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelall
 default-domain value morganusa.local
 nem enable
 webvpn
  svc keep-installer installed
  svc ask enable default webvpn timeout 5

username fort worth password XXXXXX encrypted

tunnel-group MPEZvpn type remote-access
tunnel-group MPEZvpn general-attributes
 address-pool mpezvpn
 default-group-policy MPEZvpn
 dhcp-server 192.168.253.3
tunnel-group MPEZvpn webvpn-attributes
 radius-reject-message
 group-alias MPEZvpn enable
tunnel-group MPEZvpn ipsec-attributes
 pre-shared-key *

 

and the show crypto ipsec sa:

    Crypto map tag: dynmap, seq num: 10, local addr: XX.XX.XX.XX

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.136.0/255.255.255.0/0/0)
      current_peer: 66.60.73.202, username: fortworth
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 110, #pkts encrypt: 110, #pkts digest: 110
      #pkts decaps: 3282, #pkts decrypt: 3282, #pkts verify: 3282
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 110, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: XX.XX.XX.XX/4500, remote crypto endpt.: XX.XX.XX.XX/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 308103ED

    inbound esp sas:
      spi: 0xA9A6DA42 (2846284354)
         transform: esp-3des esp-md5-hmac none 
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 258048, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 26480
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x308103ED (813761517)
         transform: esp-3des esp-md5-hmac none 
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 258048, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 26480
         IV size: 8 bytes
         replay detection support: Y

 

ASA 5505 side:


vpnclient server XX.XX.XX.XX
vpnclient mode network-extension-mode
vpnclient vpngroup MPEZvpn password ********
vpnclient username fortworth password ********
vpnclient management tunnel 192.168.136.0 255.255.255.0
vpnclient enable

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.123.126

      access-list _vpnc_acl permit ip 192.168.136.0 255.255.255.0 any
      local ident (addr/mask/prot/port): (192.168.136.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: XX.XX.XX.XX, username: XX.XX.XX.XX
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 3391, #pkts encrypt: 3391, #pkts digest: 3391
      #pkts decaps: 110, #pkts decrypt: 110, #pkts verify: 110
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3391, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.123.126/4500, remote crypto endpt.: XX.XX.XX.XX/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: A9A6DA42

    inbound esp sas:
      spi: 0x308103ED (813761517)
         transform: esp-3des esp-md5-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 1, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 26287
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xA9A6DA42 (2846284354)
         transform: esp-3des esp-md5-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 1, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 26287
         IV size: 8 bytes
         replay detection support: Y

 

 

 

Once again- I can ping devices from the main network to the remote network- but not the other way around.  Any ideas on what changes need to be made?  The remote network is behind another firewall (ASA5505)- doing NAT- but has all ports open on a static translate to the EasyVPN firewall.

 

Thanks!

Labels:
0 Helpful
1 Reply 1

Abaji Rawool
Level 3
Level 3

‎07-20-2015 08:56 AM

Hi,

Check the nat exempt for VPN traffic and icmp inspect is enabled on 5510 .

HTH

Abaji.

 

0 Helpful
Customers Also Viewed These Support Documents