Site-to-Site VPN routing?

Cisco ASA 8, ASDM 6.

I set up a IPSEC shared secret VPN with a customer.

The tunnel comes up fine, but I do not believe that any traffic is crossing it.

Pings fail, etc.

Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

Is there a trick to get the traffic to flow across the VPN??

Please advise, I am at my wits end on this one.

Reply to
steveb
Loading thread data ...

A common problem in such cases would be a mismatch between the NAT definitions and the tunnel access-list definitions. The access lists defined for the tunnel must be written in terms of what would be on the wire *after* NAT takes place (for outgoing packets) or before NAT takes place (for incoming packets).

Another issue is that listing traffic in a tunnel access-list does not automatically permit the traffic through the outside access group. After the traffic has been de-encapsulated, but before it is de-NAT'd, the interface access group 'in' is checked, and only traffic that passes the access-group is permitted inward. However, there is a command you can use that will permit this access-group check to be bypassed for *all* traffic that arrives via VPN.

In PIX 6, the command was

sysopt connection permit-ipsec

I see that by ASA 8, it is

sysopt connection permit-vpn

Reply to
Walter Roberson

Cisco has a document that deals with NAT Order of Operations. Might be good to refer to it.

If you use the following as the last ACE (Access Control Entry) in your interface ACLs:

deny ip any any log

... and examine the resulting syslog entries, you might get a better handle on any ACL issues that exist.

Crypto ACLs need to be exactly mirrored, without exceptions.

If you can get a sniffer on the WAN side of your device, you might very quickly determine if you have asymmetric operation as a result of crypto ACLs not being correctly mirrored. Some traffic that you expect to be encrypted, would not be, and it gets dropped.

Best Regards, News Reader

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.