Trouble passing traffic between sites using an ASA VPN solution

crbrown68 · ‎07-02-2014

I am currently experiencing trouble with VPN traffic between two sites which has me at a loss. I'm sure it is something simple but I can not pinpoint it.

I have an ASA 5510 (running 9.0.3) that I am connecting to from an 819 router using NEM. The tunnel establishes and from anywhere on the inside networks I can access all of the remote site networks, however from the remote networks I can only access as far as the inside interface of the ASA, not even another device on the same subnet as the inside interface. I have checked the traffic for the SA and when pinging from the remote site I can see traffic from the remote network coming into the ASA, but no response. When pinging from behind the ASA I can see bi-directional traffic. I can not see anything in the logs to indicate that the traffic is being dropped, the routing looks good and the crypto maps should work, so I'm at a bit of a loss...

On my older ASA (running 8.2.1) that has a similar config I have numerous remote sites connected via the same methodology. When the 819 I'm using to test the new ASA is pointed to the old ASA it all works fine.

Any assistance would be greatly appreciated.

nkarthikeyan · ‎07-02-2014

Hi Brown,

Please check the following things in your ASA configs.

1) Routing to the internal networks

2) Inspect icmp is enabled in your ASA service policy

3) Your NAT statements / Access-list / VPN configuration has changes in 8.3 or latest versions of software.

Regards

Karthik

Dinesh Moudgil · ‎07-02-2014

Hi ,

Method to check packet drops on ASA

You can initiate traffic from remote side and apply "cap asp type asp-drop all" captures.
Just check if you see the packets getting dropped on ASA using "show cap asp | in <ip_address>"
This will show you if the packets are getting dropped on the ASA.

Secondly , you can run "show asp drop" after each second (while running continuous traffic from remote side ) to check which section is showing increase in count (e.g flow denied by any rule or tcp packets not in order) and then proceed accordingly.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

crbrown68 · ‎07-03-2014

Thanks for the replies,

Using the "show asp drop" command on the ASA I can see that "NAT failed" is incrementing when I ping across. I've had a look, but it looks ok to me. This is my first attempt on a post 8.3 version though, so I'm obviously doing it wrong.

The relevant lines from the config are:

object network HEGT_CSN_LAN
subnet 10.146.94.0 255.255.255.0

object network CSN_LAN
subnet 10.146.150.0 255.255.255.248

nat (Inside,Outside) source static CSN_LAN CSN_LAN destination static HEGT_CSN_LAN HEGT_CSN_LAN

I am unable to ping from 10.146.94.33 (819 internal Ethernet port) to 10.146.150.6 (device on internal network behind the ASA), due to the NAT failure, however I can ping in reverse.

crbrown68 · ‎07-03-2014

It looks like I might have it resolved. I had the VPN NAT exemption statement after the dynamic web one in the config, therefore the return traffic was not being exempt. I have changed the order and it all looks like it's working.

Thanks for your assistance and pointing me in the right direction.

Dinesh Moudgil · ‎07-03-2014

We are glad its resolved.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/