Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3183
Views
0
Helpful
15
Replies

VPN allows only traffic on one side to reach inside interface of remote end

seanwaite
Level 1
Level 1

‎05-30-2012 05:33 AM

I have an ASA5505 that has multiple tunnels of different sorts used for testing. I have recently set up a tunnel to a remote location that has on the other end a 1721 router. My location has a 877 ADSL router with the ASA5505 behind it. Since my IP address changes often due to poor DSL service. What I do is set up on the ASA5505 a static to dynamic (remote end). This has worked very well going to a PIX506 and another 1721 here used for testing.

This recent 1721 I set up has an issue where I can pass traffic to the 1721 only to its inside interface IP. From the 1721 I can ping the whole network behind the ASA. Here is the relevant config for the 1721:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key XXXXXX address 0.0.0.0 0.0.0.0 no-xauth

!

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set peer XXX.XXX.XXX dynamic

set transform-set IPSEC

match address 120

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface FastEthernet0

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.240

crypto map SDM_CMAP_1

ip route 0.0.0.0 0.0.0.0 Ethernet0 dhcp

ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240

ip nat inside source route-map NONAT interface Ethernet0 overload

access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 deny   ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 permit ip 10.10.10.0 0.0.0.15 any

route-map NONAT permit 10

match ip address 130

And for the ASA:

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.240

access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp route-lookup

crypto map OUTSIDE_MAP 2 match address 1721_KS

crypto map OUTSIDE_MAP 2 set peer 7x.xx.xxx.xx

crypto map OUTSIDE_MAP 2 set ikev1 phase1-mode aggressive

crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 2 set nat-t-disable

On the remote end is a device at 10.10.10.3 that I can not ping, yet when I SSH to the 1721 I can ping it, so I now it is powered on. ICMP debug on the 1721 shows echo-reply from 192.168.2.1 to 10.10.10.1, but not 10.10.10.3.

I am thinking that there must be some really minor detail I must have missed somewhere.

Labels:
0 Helpful
15 Replies 15

shmathur
Level 1
Level 1
In response to seanwaite

‎06-01-2012 04:26 AM

This could well be an issue related to CEF on 1721 router

0 Helpful
Customers Also Viewed These Support Documents