06-27-2011 09:07 AM
Just wonder if somebody could help me. I’ve set VPN up between two sites using Cisco ASA 5505 and Wizard. Unfortunately VPN works only one way From 8.2 (2) to 8.3 (1) and after spending one day trying to resolve the issue decided to ask somebody better than me. Logs shows that ping leave ASA 8.3 but never hits ASA 8.2 – opposite way everything works perfectly.
I would really appreciate if somebody could advise me something.
ASA Version 8.3(1)
object network RemoteA_internal_Network
subnet xxx.xxx.xxx.0 255.255.255.0
object network NETWORK_OBJ_yyy.yyy.yyy.0_24
subnet yyy.yyy.yyy.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip yyy.yyy.yyy.0 255.255.255.0 object RemoteA_internal_Network
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_yyy.yyy.yyy.0_24 NETWORK_OBJ_yyy.yyy.yyy.0_24 destination static RemoteA_internal_Network RemoteA_internal_Network
!
object network obj_any
nat (inside,outside) dynamic interface
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer aaa.aaa.aaa.aaa
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *****
__________________________________________________
ASA Version 8.2(2)
name yyy.yyy.yyy.0 RemoteB_internal_Network
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0
0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set peer bbb.bbb.bbb.bbb
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
pre-shared-key *****
Solved! Go to Solution.
06-27-2011 12:49 PM
Hi Piotr,
I suspect that the following line on the ASA running 8.3 might be causing the problem:
nat (inside,outside) source dynamic any interface
I assume this statetment was configured for PAT, since PAT is also handled by this line:
object network obj_any
nat (inside,outside) dynamic interface
You should be able to remove "nat (inside,outside) source dynamic any interface"
Let me know if this helps.
Thanks,
Loren Kolnes
06-27-2011 12:49 PM
Hi Piotr,
I suspect that the following line on the ASA running 8.3 might be causing the problem:
nat (inside,outside) source dynamic any interface
I assume this statetment was configured for PAT, since PAT is also handled by this line:
object network obj_any
nat (inside,outside) dynamic interface
You should be able to remove "nat (inside,outside) source dynamic any interface"
Let me know if this helps.
Thanks,
Loren Kolnes
06-28-2011 02:08 AM
Loren, you are a genius – your solution sorts my issue.
Thank you for your help!
08-13-2014 03:58 AM
Hi Loren,
Brilliant ThanQ, I had this proble today, and even though I'd been bittrn by it before;
Cisco ASA 5500 - VPN Works in One Direction
It wasnt till I saw your post that the penny dropped. for anyone esle you will also see the following happening if you do a packet trace
BAD
PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1
------------------output removed-----------------------------
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.2.2/0 to 123.123.123.123/21205
---------------output removed----------------
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
--------output removed-------------------
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
PetesASA#
GOOD
PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1
-----------output removed---------------------
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.1/0 to 192.168.1.1/0
--------------output removed------------------------
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.2/0 to 192.168.2.2/0
------------------output removed--------------------------
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
Additional Information:
-------------------output removed----------------------
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Regards,
Pete
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: