06-04-2015 07:29 AM
Here my VPN Lan To Lan configuration :
object VPNL2L-src
host 192.168.93.164
nat(INSIDE,OUTSIDE) static 10.195.10.164
object network VPNL2L-SRC-NAT
host 10.195.10.164
object network VPNnonat-SRC
host 10.195.10.164
object network VPNL2L-DST
host 10.168.0.85
nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST
nat (INSIDE,OUTSIDE) source static VPNL2L-src VPNL2L-SRC-NAT destination static VPNL2L-DST VPNL2L-DST
The flow show me that the packets go out from my OUTSIDE, but when the packets come in my OUTSIDE there is no flow in VPN traffic.
06-06-2015 05:05 AM
Hello Walter,
- Was this flow checked with a packet-tracer? could you share the output with us?
- What's the problem with the tunnel?
06-08-2015 01:06 AM
When i try to ping the destination 10.168.0.85 from my inside host 192.168.93.164 (NAT-SRC to 10.195.10.164) i can see on my ASA this output :
peer address: 78.6.254.7
Crypto map tag: outside_map, seq num: 145, local addr: 94.125.239.251
access-list VPNL2LCrypto extended permit ip 10.195.10.164 255.255.255.5 10.168.0.85 255.255.255.255
local ident (addr/mask/prot/port): (10.195.10.164/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.168.0.85/255.255.255.0/0/0)
current_peer: 78.6.254.7
#pkts encaps: 380, #pkts encrypt: 380, #pkts digest: 380
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 94.125.239.251/4500, remote crypto endpt.: 78.6.254.7/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 59D2316F
current inbound spi : 9DC7F1C5
As you can see there are the numbers in the pkts encaps, but there aren't any numbers in pkts decaps. Obviously when the other side try to ping my inside host the other side with the same command see the same output. From this issue i can suppose that in my ASA the packets from other side to my INSIDE there aren't encrypted.
06-08-2015 04:22 AM
Hello Walter,
Is the remote end 78.6.254.7 encrypting traffic?
Is this encrypted traffic from the remote end reaching the ASA?
*outside captures can help you answer this question
Is the ASA droping traffic from 10.168.0.85?
*ASP captures can help you answer this question
06-11-2015 07:57 AM
Thanks, i modified my configuration so :
no nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST
After with capture ASP type asp-drop, i see the flow from 10.168.0.85 to 94.125.239.242. I studied the configuration of my ASA and i write the configuration about traffic uncrypted Ip address of inside lan to outside for Internet with the source nat 94.125.239.252 and the vpn is ok. From
nat (INSIDE,OUTSIDE) source dynamic INSIDE-LAN-src INSIDE-LAN-src IP-94.125.239.242 destination static Any-dst Any-dst
To
object-group network INSIDE-INTERNET-OUTSIDE
host 192.168.0.1
nat (INSIDE,OUTSIDE) source dynamic IP-94.125.239.252
Now the vpn is OK. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide