Solved: Re: No traffic in cisco asa

WamuMubiana1384 · ‎06-04-2024

Hi All,

i need help.

i have configured a site to site VPN on Cisco ASA with partner who is using openswan. my configuration on ASA is as follows however traffic is not being encrypted to pass through the tunnel:

crypto ikev2 policy 60
encryption aes-256
integrity sha256
group 14
lifetime seconds 86400

----------IPsec Proposal (Transform set)--------------------

crypto ipsec ikev2 ipsec-proposal IB_PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256

--------Access-List for traffic to encrypt----------------------------------------------------
access-list ZECHL_IB extended permit ip 192.168.100.0 255.255.255.0 host 192.168.200.215
access-list ZECHL_IB extended permit ip host 192.168.100.18 host 192.168.200.215

--------Crypto map combining ACL, peer and IKEV2 Proposal----------------------------

crypto map TCIB_CRYPTO_MAP 1 match address ZECHL_IB
crypto map TCIB_CRYPTO_MAP 1 set peer public_address
crypto map TCIB_CRYPTO_MAP 1 set ikev2 ipsec-proposal IB_PROPOSAL
crypto map TCIB_CRYPTO_MAP interface OUTSIDE

------------------Tuunel group------------------------------------------
tunnel-group public_address type ipsec-l2l
tunnel-group public_address ipsec-attributes
ikev2 local-authentication pre-shared-key xxxxxxxxxxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxxxxxxxx

i can see incoming traffic from partner though when they attempt to reach 192.168.100.18

Marvin Rhoads · ‎06-04-2024

As suspected, you are hitting this dynamic NAT rule and not a static identity NAT / NAT exempt rule:

nat (Inside,Outside) after-auto source dynamic ZECHL_LAN interface

Additional Information:

Dynamic translate 192.168.100.18/1234 to 41.77.145.66/1234

You need a static NAT rule exempting traffic from 192.168.100.0 255.255.255.0 to the remote host's real IP address.

View solution in original post

Marvin Rhoads · ‎06-04-2024

You mentioned that you can see incoming traffic from partner though when they attempt to reach 192.168.100.18. Where do you see this?

Does your VPN come up? "show crypto ikev2 sa" and "show crypto ipsec sa" commands would give useful output.

WamuMubiana1384 · ‎06-04-2024

see VPN status below:

WamuMubiana1384 · ‎06-04-2024

VPN status:

Marvin Rhoads · ‎06-04-2024

The crypto ipsec sa indicates your crypto map match has the remote host address as a public IP (13.246.56.215), not the private 192.168.200.215 address you indicated in the original post.

WamuMubiana1384 · ‎06-04-2024

i amended the addresses in the initial post. However the screens show the real addresses configured.

Marvin Rhoads · ‎06-04-2024

Can you share the full output of the following:

packet-tracer input inside tcp 192.168.100.<x> 1234 <real IP of remote host> 1234

(substitute the bracketed values with your actual source and destination host address).

WamuMubiana1384 · ‎06-04-2024

Here are the packet tracer results;

Marvin Rhoads · ‎06-04-2024

cli output please - we need to see the NAT details to confirm your NAT exempt is applied and working as intended.

WamuMubiana1384 · ‎06-04-2024

Find attached results in txt file

Marvin Rhoads · ‎06-04-2024

As suspected, you are hitting this dynamic NAT rule and not a static identity NAT / NAT exempt rule:

nat (Inside,Outside) after-auto source dynamic ZECHL_LAN interface

Additional Information:

Dynamic translate 192.168.100.18/1234 to 41.77.145.66/1234

You need a static NAT rule exempting traffic from 192.168.100.0 255.255.255.0 to the remote host's real IP address.

WamuMubiana1384 · ‎06-04-2024

Hi Marvin, the solution has worked. Thank you very much.

MHM Cisco World · ‎06-04-2024

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic ZECHL_LAN interface
Additional Information:
Dynamic translate 192.168.100.18/1234 to 41.77.145.66/1234

This sure issue of exemption NAT'

Your traffic is NAT before if encrypt

MHM

WamuMubiana1384 · ‎06-04-2024

----------------Additional Packet tracer

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.77.145.x using egress ifc Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21907, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Marvin Rhoads · ‎06-04-2024

Right - that's the ikev2 sa and it looks OK. What about the IPsec SA - do you show encaps and decaps both?

Did you confirm the NAT exemption as suggested by @MHM Cisco World