08-05-2019 01:57 PM - edited 02-21-2020 09:43 PM
Our office has a few branches around town and currently, we have ASA 5515-X's at all locations. Between two of the locations now we have Ipsec/IKEv2 VPN tunnel that works flawlessly. I am attempting to establish another tunnel between the main branch and the newest branch. I can get the tunnel to work from one side only. Meaning from the third location, I can access my servers and all other resources at the main branch, but I cannot access(even ping) anything at the 3rd location from the main branch at all.
I used the Site to Site VPN wizard just like I did when I setup the first tunnel. Last time it came up and worked perfectly. Now, it is baffling me that I can ping, access file shares, and all of that from one side, but not the other. Anyone have any idea where to start looking?
Solved! Go to Solution.
08-06-2019 10:37 AM - edited 08-06-2019 10:43 AM
Ok, the problem is your dynamic NAT rule (rule number 2) is above the nat exemption rule you have defined between APDO and POM (rule number 8). Therefore the traffic is being natted behind the outside interface.
2 (Inside) to (Outside) source dynamic any interface
translate_hits = 15695867, untranslate_hits = 2052342
|
|
8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Move the dynamic rule to Manual NAT Section 3 (after-auto)
HTH
08-05-2019 02:10 PM
08-06-2019 09:14 AM
The main office is the 10.0.0.0/16 network(APDO)
The second branch that works fine is the 192.168.200.0/24 network(APDWEST)
The third branch that does not work both ways is the 192.168.63.0/24 network(POMS)
Result of the command: "sho nat"
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static APDO APDO destination static APDWEST APDWEST no-proxy-arp route-lookup
translate_hits = 3706978, untranslate_hits = 4325356
2 (Inside) to (Outside) source dynamic any interface
translate_hits = 15695867, untranslate_hits = 2052342
3 (any) to (Outside) source static APDO APDO destination static APDWEST APDWEST no-proxy-arp route-lookup
translate_hits = 183, untranslate_hits = 0
4 (Inside) to (Outside) source static NETWORK_OBJ_10.0.0.0_16 NETWORK_OBJ_10.0.0.0_16 destination static APDWEST APDWEST no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (PubInet) to (Outside) source dynamic any interface
translate_hits = 794947, untranslate_hits = 28807
6 (any) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 6500, untranslate_hits = 6500
7 (Inside) to (Outside) source static NETWORK_OBJ_10.0.0.0_16 NETWORK_OBJ_10.0.0.0_16 destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
08-06-2019 10:37 AM - edited 08-06-2019 10:43 AM
Ok, the problem is your dynamic NAT rule (rule number 2) is above the nat exemption rule you have defined between APDO and POM (rule number 8). Therefore the traffic is being natted behind the outside interface.
2 (Inside) to (Outside) source dynamic any interface
translate_hits = 15695867, untranslate_hits = 2052342
|
|
8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Move the dynamic rule to Manual NAT Section 3 (after-auto)
HTH
08-07-2019 08:13 AM
That worked like a champ. I knew it was something simple I was missing. Couldn't see the forest for the trees. lol
Thank you very much.
08-05-2019 04:27 PM
This, to me proves there is nothing wrong with phase 1 or phase 2. so you will need to double check:
-static route pointing to tunnel
-crypto map (interesting traffic)
-NAT exemption
also run the packet tool to simultate traffic
08-06-2019 09:33 AM
This is the result of the packet tracer. It drops due to an access rule, but I look at those and there aren't any that can even be edited from ASDM. I also included a snapshot of the access rules list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide