Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
577
Views
0
Helpful
5
Replies

Traffic between two IPSEC tunnels not working

jordisust
Level 1
Level 1

‎01-19-2015 08:57 AM - edited ‎02-21-2020 08:01 PM

Hello,

 

we have an IPSEC tunnel to a partner where we are doing source and destination NAT on our Cisco ASA. In the encryption domain with our partner we are using the NATed IPs. Everything is working from everywhere except from a remote site (main site which has to use this connection) which is also connected via IPSEC.

 

Running a packet tracer it is showing the following:

 

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

 

How the NAT and routing works between two IPSEC tunnels? I mean I believe that the NAT and routing are done in a different order and that is why this connection is failing? Or am I wrong?

Why is this failing only from the remote location? (ACL is not an issue 100%).

Thank you.

Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎01-19-2015 11:38 AM

"Everything is working from everywhere except from a remote site"

 

Hi jordisust

 

As per your above statement, you need to dynamic-nat your remote-site range to a single IP permitted to traverse via the tunnel to your partner's site and your partner will see the natted IP which is permitted between your main site and partners side.

 

​If this isn't clean please post a diagram to show your subnet locations. 

 

thanks

Rizwan Rafeek

 

 

 

0 Helpful

jordisust
Level 1
Level 1
In response to rizwanr74

‎01-19-2015 12:30 PM

Thank you Rizwan.

You mean that we should create a NAT on the remote site only when communicating with the partner through ACL?

Is there anything to do with the destination NAT already performed?

 

Thank you.

0 Helpful

rizwanr74
Level 7
Level 7
In response to jordisust

‎01-19-2015 04:04 PM

I presume that you have a main site and remote-site both are under your control.

 

You have a site-to-site tunnel between main-site and partner's site.

Now you want your remote-site to access resources located at partner's site, is this right? If not please post a diagram to illustrate tunnel-end points and respective subsets belong to them.

 

Thanks

Rizwan Rafeek 

0 Helpful

jordisust
Level 1
Level 1
In response to rizwanr74

‎01-20-2015 01:35 AM

Hello Rizwan,

 

i have attached a diagram for clarification.

Thank you.

traffic_between_ipsec.png
Preview file
52 KB
0 Helpful

jordisust
Level 1
Level 1
In response to jordisust

‎01-20-2015 10:01 AM

Hello,

 

issue has been solved. As we were doing source and destination NAT we missed to do this also for the outside interface (outside to outside NAT). This is th reason is was working from everywhere except for the remote site behind the VPN tunnel.

Thank you.

 

0 Helpful
Customers Also Viewed These Support Documents
Top