Site-to-Site VPN routing?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Cisco ASA 8, ASDM 6.

I set up a IPSEC shared secret VPN with a customer.

The tunnel comes up fine, but I do not believe that any traffic is crossing it.

Pings fail, etc.

Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

Is there a trick to get the traffic to flow across the VPN??


Please advise, I am at my wits end on this one.




--
--
Steven

http://www.teamvie.ws





Re: Site-to-Site VPN routing?

Quoted text here. Click to load it






A common problem in such cases would be a mismatch between the
NAT definitions and the tunnel access-list definitions. The access
lists defined for the tunnel must be written in terms of what
would be on the wire *after* NAT takes place (for outgoing packets)
or before NAT takes place (for incoming packets).

Another issue is that listing traffic in a tunnel access-list
does not automatically permit the traffic through the outside
access group. After the traffic has been de-encapsulated, but
before it is de-NAT'd, the interface access group 'in' is checked,
and only traffic that passes the access-group is permitted inward.
However, there is a command you can use that will permit this
access-group check to be bypassed for *all* traffic that arrives
via VPN.

In PIX 6, the command was

sysopt connection permit-ipsec

I see that by ASA 8, it is

sysopt connection permit-vpn

Re: Site-to-Site VPN routing?
Walter Roberson wrote:
Quoted text here. Click to load it

Cisco has a document that deals with NAT Order of Operations. Might be
good to refer to it.

Quoted text here. Click to load it

If you use the following as the last ACE (Access Control Entry) in your
interface ACLs:

deny ip any any log

... and examine the resulting syslog entries, you might get a better
handle on any ACL issues that exist.

Crypto ACLs need to be exactly mirrored, without exceptions.

If you can get a sniffer on the WAN side of your device, you might very
quickly determine if you have asymmetric operation as a result of crypto
ACLs not being correctly mirrored. Some traffic that you expect to be
encrypted, would not be, and it gets dropped.

Quoted text here. Click to load it

Best Regards,
News Reader

Site Timeline