Site to Site through another ASA

jstickler · ‎12-14-2017

Hello,

I am having problems with a site to site connection we have. We have one device (c) that is connecting in via a dynamic site to site connection to site (a). When it is on a cellular connection everything is working correctly and we have two way traffic.

We have another site (b) that has an ASA on it that provides wireless. When (c) is behind the wireless connection provided at (b) we have one way traffic between (a) and (c). I have tried doing some research but there is little documentation on setting up a site to site that goes through an ASA that is in the middle.

Thanks!

GioGonza · ‎12-15-2017

Hello @jstickler,

In this case you have to check for the ports for the connection:

IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=ESP (value 50) <- Used by IPSec data path

If you say the traffic is only one way, that means the encrypted traffic is having problems (ESP packets) you need to follow those packets and verify if the ASA is dropping them, you can place an ASP capture for that:

capture asp type asp-drop all

show run | in x.x.x.x << IP for peer

You need to place captures also in the inside and outside interface to verify the correct flow of the traffic specially ESP.

HTH

Gio

Karsten Iwen · ‎12-23-2017

Do you have NAT-Traversal enabled on both VPN-ends? This is exactly what is expected when NAT-T is disabled and a PAT-device is in the path.

jstickler · ‎12-28-2017

I think I see the issue. I have NAT-T enabled under the Crypto maps, but not under the IKE parameters setting. I will schedule with the customer and let you know if that fixes it.

Thanks