VPN tunnel went down after upgrading intermediate ASA to 8.4

nishchay nadkarni · ‎05-06-2014

I have site to site VPN tunnel configured between 2 ASAs. The tunnelled traffic passes through my internet firewall. Recently I upgraded my internet firewall to 8.4 while my VPN ASAs run 8.2 image.

After Upgrading my internet firewall to 8.4,VPN tunnel went down. I can see encrypted packets increasing on VPN box behind my internet ASA but don't see any decrypted packets. Neither I can see hits on internet firewall.

Is there something which I have to look at in 8.4 configuration on my internet firewall?

dzuodar · ‎05-06-2014

Hi!

In case you use nat for your internal vpn box and upgraded your internet asa from a pre-8.3 version towards 8.4, check following document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

Basically you should change your inbound acl rule to allow vpn traffic towards the internal ip address of the vpn box and make a nat rule with source external public ip to inside internal ip.

cheers,

Dimitri

nkarthikeyan · ‎08-27-2014

Hi,

There are notable changes in ACL and NAT syntax in new 8.3+ version of ASA.... If you have NAT or NAT-exemption, you need to modify that accordingly. Also you ACL should reflect the real ip's of the segment rather mapping the NATed IP in ACL's.... So all these things you need to take care....

Eg:

Earlier in 8.2 version.... for your inbound acl, which is applied on outside interface.... you could have mentioned a rule like this

access-list inbound permit ip host 1.1.1.1 host 2.2.2.2

(where 1.1.1.1 is the source from outside and 2.2.2.2 is the NATed ip address of the segment, which has a private IP segment as its real ip...say 10.1.1.1)

Your new version 8.3+ should have

access-list inbound permit ip host 1.1.1.1 host 10.1.1.1

Regards

Karthik