05-27-2012 06:11 PM
Hi all,
I've run into an issue and I'm hoping one (or more!) of you have seen this before.
I've configured an ASA5505 to be Lan to Lan VPN tunnel endpoint, peering with a linux box. The ASA is full licensed so that side isn't an issue.
PROBLEM:
When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets. It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.
When the tunnel is initialised from the ASA, nothing happens.
After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
ACL for NO_NAT:
access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)
ACL for Interesting traffic
access-list LNX_IPSEC; 2 elements; name hash: 0xda433bf
access-list LNX_IPSEC line 1 remark ACL USED TO DEFINE WHAT TRAFFIC TO ENCRYPT
access-list LNX_IPSEC line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0x49989fbd
access-list LNX_IPSEC line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0) 0x6f1aad85
access-list LNX_IPSEC line 3 extended permit ip host 10.1.85.156 object-group LINUX-BOXES 0x034eece3
access-list LNX_IPSEC line 3 extended permit ip host 10.1.85.156 10.11.228.0 255.255.255.0 (hitcnt=0) 0xc3b2fc0b
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).
The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN. The setup is a LAN to LAN connection with no natting in between.
The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post. I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.
At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa. The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.
Has anyone seen this issue before or does anyone have any tips I might be able to use to get it working?
Thanks in advance for any help
Brad
Solved! Go to Solution.
05-27-2012 07:37 PM
How are those hosts (PAMS_Server and 10.1.85.156) being routed? You have not included the routing within the sanitized configuration and is wondering if routing is correct.
05-27-2012 07:53 PM
Hi Brad,
Please add a static-route on your ASA as shown below.
route OTHER_INT 10.11.228.0 255.255.255.0 192.168.100.X <<<<<< X = your peering device of other side ip address.
Please let me know, if this helps.
thanks
Rizwan Rafeek
05-27-2012 07:37 PM
How are those hosts (PAMS_Server and 10.1.85.156) being routed? You have not included the routing within the sanitized configuration and is wondering if routing is correct.
05-28-2012 03:02 PM
Hi jennifer, routing was the key, specifically the router mentioned below by rizwanr74.
Thanks!
05-27-2012 07:53 PM
Hi Brad,
Please add a static-route on your ASA as shown below.
route OTHER_INT 10.11.228.0 255.255.255.0 192.168.100.X <<<<<< X = your peering device of other side ip address.
Please let me know, if this helps.
thanks
Rizwan Rafeek
05-28-2012 03:03 PM
Hi Rizwanr74,
That was it, thanks for the reply and the help!
Brad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: