Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
0
Helpful
5
Replies

Site to site vpn Cisco ASA 5540 ver9

Go to solution
donnie
Level 1
Level 1

‎09-24-2020 06:46 AM

Hi all,

 

I have a site to site vpn between Cisco ASA 5540 (with private subnet 192.168.2.0/24 connected to this firewall) and Checkpoint firewall (with private subnet 192.168.1.0/24 connected to this firewall). Site to site vpn is configured to be established if interesting traffic is initiated from 192.168.1.0/24 -> 192.168.2.0/24 or 192.168.2.0/24 to 192.168.1.0/24). The vpn traffic from 192.168.1.0/24 -> 192.168.2.0/24 works fine but not the other way round 192.168.2.0/24 -> 192.168.1.0/24. On the ASA firewall logs i can see traffic initiated from 192.168.2.0/24 to 192.168.1.0/24 but on my checkpoint firewall logs i could not see the traffic from 192.168.2.0/24 to 192.168.1.0/24. What could be the issue? Could it be due to NAT exemption? As i did not configure NAT exemption for traffic from 192.168.2.0/24 to 192.168.1.0/24. Please advise. TIA! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-24-2020 06:52 AM - edited ‎09-24-2020 07:29 AM

Hi @donnie 

If I understand your scenario correctly, yes it does seem that it could be a nat issue. If in your checkpoint firewall logs you could not see the traffic from 192.168.2.0/24 (ASA) to 192.168.1.0/24, you would need a NAT exemption rule on the ASA to ensure traffic is not unintentially natted.

 

If you run packet-tracer from the CLI of the ASA, that will give you a clue if traffic is currently being natted.

 

If you run "show crypto ipsec sa" check the encaps|decaps to confirm if the counters are increasing, that will also provide a clue as to where the issue is.

 

HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎09-24-2020 06:52 AM - edited ‎09-24-2020 07:29 AM

Hi @donnie 

If I understand your scenario correctly, yes it does seem that it could be a nat issue. If in your checkpoint firewall logs you could not see the traffic from 192.168.2.0/24 (ASA) to 192.168.1.0/24, you would need a NAT exemption rule on the ASA to ensure traffic is not unintentially natted.

 

If you run packet-tracer from the CLI of the ASA, that will give you a clue if traffic is currently being natted.

 

If you run "show crypto ipsec sa" check the encaps|decaps to confirm if the counters are increasing, that will also provide a clue as to where the issue is.

 

HTH

0 Helpful

Go to solution
donnie
Level 1
Level 1
In response to Rob Ingram

‎09-24-2020 05:47 PM

Hi Rob, 

 

If NAT exemption is the case, then traffic frm 192.168.2.0/24 (ASA) shld have an issue whenever 192.168.1.0/24 (checkpoint) initiated traffic to 192.168.2.0/24. But 192.168.1.0/24 can access 192.168.2.0/24 successfully for Web service and fileshare and I verified frm chkpoint the logs came frm the vpn blade. 

0 Helpful

Go to solution
donnie
Level 1
Level 1
In response to Rob Ingram

‎09-25-2020 10:42 PM

Hi Rob,

 

Tested and verified that enabling NAT exemption resolve the connectivity issue from 192.168.2.0/24 (ASA) to 192.168.1.0/24 (Checkpoint). But curious why return traffic from 192.168.2.0/24 (ASA) is able to work whenever 192.168.1.0/24 (checkpoint) initiated traffic to 192.168.2.0/24 (ASA) without NAT exemption enabled.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to donnie

‎09-26-2020 12:08 AM

@donnie 

Glad to hear the issue is resolved.

I imagine traffic was unintentially NAT by another NAT rule, packet-tracer would have indicated which NAT rule traffic matched.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-24-2020 06:52 AM

If check point side globally natted you need to Nat Exempt, you can view the Checkpoint smart dashboard log, why this packets dropping.

 

also check the access list allowed in checkpoint.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents