05-06-2014 04:05 AM
I have site to site VPN tunnel configured between 2 ASAs. The tunnelled traffic passes through my internet firewall. Recently I upgraded my internet firewall to 8.4 while my VPN ASAs run 8.2 image.
After Upgrading my internet firewall to 8.4,VPN tunnel went down. I can see encrypted packets increasing on VPN box behind my internet ASA but don't see any decrypted packets. Neither I can see hits on internet firewall.
Is there something which I have to look at in 8.4 configuration on my internet firewall?
05-06-2014 04:44 AM
Hi!
In case you use nat for your internal vpn box and upgraded your internet asa from a pre-8.3 version towards 8.4, check following document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
Basically you should change your inbound acl rule to allow vpn traffic towards the internal ip address of the vpn box and make a nat rule with source external public ip to inside internal ip.
cheers,
Dimitri
08-27-2014 11:11 PM
Hi,
There are notable changes in ACL and NAT syntax in new 8.3+ version of ASA.... If you have NAT or NAT-exemption, you need to modify that accordingly. Also you ACL should reflect the real ip's of the segment rather mapping the NATed IP in ACL's.... So all these things you need to take care....
Eg:
Earlier in 8.2 version.... for your inbound acl, which is applied on outside interface.... you could have mentioned a rule like this
access-list inbound permit ip host 1.1.1.1 host 2.2.2.2
(where 1.1.1.1 is the source from outside and 2.2.2.2 is the NATed ip address of the segment, which has a private IP segment as its real ip...say 10.1.1.1)
Your new version 8.3+ should have
access-list inbound permit ip host 1.1.1.1 host 10.1.1.1
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide