Site-to-Site VPN routing?

Discussion in 'Cisco' started by steveb, Apr 1, 2008.

  1. steveb

    steveb Guest

    Cisco ASA 8, ASDM 6.

    I set up a IPSEC shared secret VPN with a customer.

    The tunnel comes up fine, but I do not believe that any traffic is crossing it.

    Pings fail, etc.

    Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

    Is there a trick to get the traffic to flow across the VPN??


    Please advise, I am at my wits end on this one.




    --
    --
    Steven

    http://www.teamvie.ws
     
    steveb, Apr 1, 2008
    #1
    1. Advertising

  2. In article <fsu4t7$6hk$>, steveb <> wrote:

    >Cisco ASA 8, ASDM 6.


    >I set up a IPSEC shared secret VPN with a customer.


    >The tunnel comes up fine, but I do not believe that any traffic is crossing it.


    >Pings fail, etc.


    >Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.


    >Is there a trick to get the traffic to flow across the VPN??


    A common problem in such cases would be a mismatch between the
    NAT definitions and the tunnel access-list definitions. The access
    lists defined for the tunnel must be written in terms of what
    would be on the wire *after* NAT takes place (for outgoing packets)
    or before NAT takes place (for incoming packets).

    Another issue is that listing traffic in a tunnel access-list
    does not automatically permit the traffic through the outside
    access group. After the traffic has been de-encapsulated, but
    before it is de-NAT'd, the interface access group 'in' is checked,
    and only traffic that passes the access-group is permitted inward.
    However, there is a command you can use that will permit this
    access-group check to be bypassed for *all* traffic that arrives
    via VPN.

    In PIX 6, the command was

    sysopt connection permit-ipsec

    I see that by ASA 8, it is

    sysopt connection permit-vpn
     
    Walter Roberson, Apr 1, 2008
    #2
    1. Advertising

  3. steveb

    News Reader Guest

    Walter Roberson wrote:
    > In article <fsu4t7$6hk$>, steveb <> wrote:
    >
    >> Cisco ASA 8, ASDM 6.

    >
    >> I set up a IPSEC shared secret VPN with a customer.

    >
    >> The tunnel comes up fine, but I do not believe that any traffic is crossing it.

    >
    >> Pings fail, etc.

    >
    >> Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

    >
    >> Is there a trick to get the traffic to flow across the VPN??

    >
    > A common problem in such cases would be a mismatch between the
    > NAT definitions and the tunnel access-list definitions. The access
    > lists defined for the tunnel must be written in terms of what
    > would be on the wire *after* NAT takes place (for outgoing packets)
    > or before NAT takes place (for incoming packets).
    >


    Cisco has a document that deals with NAT Order of Operations. Might be
    good to refer to it.

    > Another issue is that listing traffic in a tunnel access-list
    > does not automatically permit the traffic through the outside
    > access group. After the traffic has been de-encapsulated, but
    > before it is de-NAT'd, the interface access group 'in' is checked,
    > and only traffic that passes the access-group is permitted inward.
    > However, there is a command you can use that will permit this
    > access-group check to be bypassed for *all* traffic that arrives
    > via VPN.


    If you use the following as the last ACE (Access Control Entry) in your
    interface ACLs:

    deny ip any any log

    .... and examine the resulting syslog entries, you might get a better
    handle on any ACL issues that exist.

    Crypto ACLs need to be exactly mirrored, without exceptions.

    If you can get a sniffer on the WAN side of your device, you might very
    quickly determine if you have asymmetric operation as a result of crypto
    ACLs not being correctly mirrored. Some traffic that you expect to be
    encrypted, would not be, and it gets dropped.

    >
    > In PIX 6, the command was
    >
    > sysopt connection permit-ipsec
    >
    > I see that by ASA 8, it is
    >
    > sysopt connection permit-vpn


    Best Regards,
    News Reader
     
    News Reader, Apr 1, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,982
    tical
    May 27, 2004
  2. Benson
    Replies:
    0
    Views:
    537
    Benson
    May 9, 2005
  3. Remco Bressers

    routing through a Site to Site VPN on PIX

    Remco Bressers, Jun 2, 2005, in forum: Cisco
    Replies:
    5
    Views:
    5,843
    R. Bressers
    Jun 7, 2005
  4. Replies:
    1
    Views:
    1,541
  5. pasatealinux
    Replies:
    1
    Views:
    2,123
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page