Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

VPN Site-to-site on ASA 5505 unidirectional

vannixiii
Level 1
Level 1

‎03-06-2018 03:57 AM - edited ‎03-12-2019 05:05 AM

Good evening,

I recently had an issuse trying to configure a site to site VPN on ASA 5505 (ver. 9.1(6)).

My need is to connect point A to point B, and point A to point C.

While I've been able to successfully connect A-B, with A-C I have this problem:

The IPSec Tunnel goes on (IKEv2), but while C sends packets to A, and A receives it and transmits packets back to C, C doesn't receive these.

I've rebooted both firewalls, checked and compared configurations of C to B (paying attention to Access Rules, NAT Rules, Group Policies, Tunnel Groups, ACL Rules, Crypto Maps), and they're basically identical. I can't get it to work tho.

Ports on routers from both sites are opened (50, 500, 1701, 4500, 10000). Router internal firewalls are off.

Any advice?

Labels:
0 Helpful
3 Replies 3

Bogdan Nita
VIP Alumni
VIP Alumni

‎03-06-2018 06:28 AM

It looks like you are trying to build a Site-to-Site VPN with Hairpinning.

One of the thing I would recommend is to make sure you have functional VPN tunnels between A and B and A and C.

Another thing to look out, is you need to have same-security-traffic permit intra-interface on the A ASA.

Here is a config guide for more details (it is using ikev1, but if you have the tunnels running it is pretty much the same config):

https://supportforums.cisco.com/t5/security-documents/how-to-configure-site-to-site-vpn-with-hairpinning-on-cisco-asa/ta-p/3157388

 

HTH

Bogdan

0 Helpful

martvald
Cisco Employee
Cisco Employee

‎03-07-2018 07:22 AM - edited ‎03-07-2018 07:22 AM

Hello @vannixiii

 

Checking your post, it seems you have a problem with the S2S between A and C but in essentially you have problems with thwe traffic that is being sent to Site C. You need to look for the ESP packets in order to verify if something in the path is dropping them:

 

1. Place this capture on Site A

cap cap interface outside match esp host <IP FW A> host <IP FW C>

cap asp type asp-drop all

 

2. Place this capture on Site C

cap cap interface outside match esp host <IP FW C> host <IP FW A>

cap asp type asp-drop all

 

3. Run this command before you test

clear asp drop

 

4. After you perform the test verify if you are receiving the packets for ESP and it should say IP-PROTO50 in the capture, it should be both ways:

show cap cap
show cap asp

 

Let me know how the tests goes, I will be waiting for your response.

 

HTH

Martha

0 Helpful

vannixiii
Level 1
Level 1
In response to martvald

‎03-08-2018 12:36 AM

Thank you Martha, I'm going to try as soon as possible and give you a feedback. 

0 Helpful
Customers Also Viewed These Support Documents