Solved: Site to site vpn Cisco ASA 5540 ver9

donnie · ‎09-24-2020

Hi all,

I have a site to site vpn between Cisco ASA 5540 (with private subnet 192.168.2.0/24 connected to this firewall) and Checkpoint firewall (with private subnet 192.168.1.0/24 connected to this firewall). Site to site vpn is configured to be established if interesting traffic is initiated from 192.168.1.0/24 -> 192.168.2.0/24 or 192.168.2.0/24 to 192.168.1.0/24). The vpn traffic from 192.168.1.0/24 -> 192.168.2.0/24 works fine but not the other way round 192.168.2.0/24 -> 192.168.1.0/24. On the ASA firewall logs i can see traffic initiated from 192.168.2.0/24 to 192.168.1.0/24 but on my checkpoint firewall logs i could not see the traffic from 192.168.2.0/24 to 192.168.1.0/24. What could be the issue? Could it be due to NAT exemption? As i did not configure NAT exemption for traffic from 192.168.2.0/24 to 192.168.1.0/24. Please advise. TIA!

Rob Ingram · ‎09-24-2020

Hi @donnie

If I understand your scenario correctly, yes it does seem that it could be a nat issue. If in your checkpoint firewall logs you could not see the traffic from 192.168.2.0/24 (ASA) to 192.168.1.0/24, you would need a NAT exemption rule on the ASA to ensure traffic is not unintentially natted.

If you run packet-tracer from the CLI of the ASA, that will give you a clue if traffic is currently being natted.

If you run "show crypto ipsec sa" check the encaps|decaps to confirm if the counters are increasing, that will also provide a clue as to where the issue is.

HTH

View solution in original post

Rob Ingram · ‎09-24-2020

Hi @donnie

If I understand your scenario correctly, yes it does seem that it could be a nat issue. If in your checkpoint firewall logs you could not see the traffic from 192.168.2.0/24 (ASA) to 192.168.1.0/24, you would need a NAT exemption rule on the ASA to ensure traffic is not unintentially natted.

If you run packet-tracer from the CLI of the ASA, that will give you a clue if traffic is currently being natted.

If you run "show crypto ipsec sa" check the encaps|decaps to confirm if the counters are increasing, that will also provide a clue as to where the issue is.

HTH

donnie · ‎09-24-2020

Hi Rob,

If NAT exemption is the case, then traffic frm 192.168.2.0/24 (ASA) shld have an issue whenever 192.168.1.0/24 (checkpoint) initiated traffic to 192.168.2.0/24. But 192.168.1.0/24 can access 192.168.2.0/24 successfully for Web service and fileshare and I verified frm chkpoint the logs came frm the vpn blade.

donnie · ‎09-25-2020

Hi Rob,

Tested and verified that enabling NAT exemption resolve the connectivity issue from 192.168.2.0/24 (ASA) to 192.168.1.0/24 (Checkpoint). But curious why return traffic from 192.168.2.0/24 (ASA) is able to work whenever 192.168.1.0/24 (checkpoint) initiated traffic to 192.168.2.0/24 (ASA) without NAT exemption enabled.

Rob Ingram · ‎09-26-2020

@donnie

Glad to hear the issue is resolved.

I imagine traffic was unintentially NAT by another NAT rule, packet-tracer would have indicated which NAT rule traffic matched.

balaji.bandi · ‎09-24-2020

If check point side globally natted you need to Nat Exempt, you can view the Checkpoint smart dashboard log, why this packets dropping.

also check the access list allowed in checkpoint.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help