Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2205
Views
5
Helpful
3
Replies

VPN ASA 5505 8.3 (1) to ASA 8.2 (2) works only one way

Go to solution
Piotr Kowalczyk
Level 1
Level 1

‎06-27-2011 09:07 AM

Just wonder if somebody could help me. I’ve set VPN up between two sites using Cisco ASA 5505 and Wizard. Unfortunately VPN works only one way From 8.2 (2) to 8.3 (1) and after spending one day trying to resolve the issue decided to ask somebody better than me. Logs shows that ping leave ASA 8.3 but never hits ASA 8.2 – opposite way everything works perfectly.

I would really appreciate if somebody could advise me something.

ASA Version 8.3(1)

object network RemoteA_internal_Network

subnet xxx.xxx.xxx.0 255.255.255.0

object network NETWORK_OBJ_yyy.yyy.yyy.0_24

subnet yyy.yyy.yyy.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip yyy.yyy.yyy.0 255.255.255.0 object RemoteA_internal_Network

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static NETWORK_OBJ_yyy.yyy.yyy.0_24 NETWORK_OBJ_yyy.yyy.yyy.0_24 destination static RemoteA_internal_Network RemoteA_internal_Network

!

object network obj_any

nat (inside,outside) dynamic interface

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_1_cryptomap_1

crypto map outside_map0 1 set peer aaa.aaa.aaa.aaa

crypto map outside_map0 1 set transform-set ESP-3DES-MD5

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l

tunnel-group aaa.aaa.aaa.aaa ipsec-attributes

pre-shared-key *****

__________________________________________________

ASA Version 8.2(2)

name yyy.yyy.yyy.0 RemoteB_internal_Network

access-list inside_access_in extended permit ip any any

access-list outside_1_cryptomap extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0

access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0

0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set peer bbb.bbb.bbb.bbb

crypto map outside_map0 1 set transform-set ESP-3DES-MD5

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l

tunnel-group bbb.bbb.bbb.bbb ipsec-attributes

pre-shared-key *****

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Loren Kolnes
Cisco Employee
Cisco Employee

‎06-27-2011 12:49 PM

Hi Piotr,

I suspect that the following line on the ASA running 8.3 might be causing the problem:

nat (inside,outside) source dynamic any interface

I assume this statetment was configured for PAT, since PAT is also handled by this line:

object network obj_any

nat (inside,outside) dynamic interface

You should be able to remove "nat (inside,outside) source dynamic any interface"

Let me know if this helps.

Thanks,

Loren Kolnes

View solution in original post

3 Replies 3

Go to solution
Loren Kolnes
Cisco Employee
Cisco Employee

‎06-27-2011 12:49 PM

Hi Piotr,

I suspect that the following line on the ASA running 8.3 might be causing the problem:

nat (inside,outside) source dynamic any interface

I assume this statetment was configured for PAT, since PAT is also handled by this line:

object network obj_any

nat (inside,outside) dynamic interface

You should be able to remove "nat (inside,outside) source dynamic any interface"

Let me know if this helps.

Thanks,

Loren Kolnes

Go to solution
Piotr Kowalczyk
Level 1
Level 1
In response to Loren Kolnes

‎06-28-2011 02:08 AM

Loren, you are a genius – your solution sorts my issue.

Thank you for your help!

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Loren Kolnes

‎08-13-2014 03:58 AM

Hi Loren,

Brilliant ThanQ, I had this proble today, and even though I'd been bittrn by it before;

Cisco ASA 5500 - VPN Works in One Direction

It wasnt till I saw your post that the penny dropped. for anyone esle you will also see the following happening if you do a packet trace

BAD

PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1

------------------output removed-----------------------------

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.2.2/0 to 123.123.123.123/21205

---------------output removed----------------

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:

--------output removed-------------------

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

PetesASA#

 

 

GOOD

PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1

-----------output removed---------------------

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.1/0 to 192.168.1.1/0

--------------output removed------------------------

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.2/0 to 192.168.2.2/0

------------------output removed--------------------------

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
Additional Information:

-------------------output removed----------------------

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

Regards,

 

Pete

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents