Got a problem with an ASA not sending traffic back down a tunnel.
The tunnel comes up, I can see from the VPN monitor that traffic is received from the remote network. I can see from a PCAP that the ICMP packet is being received by the local ASA, sent to the host on the LAN , that the host is then replying and the ICMP reply is being received by the ASA on the inside interface.
Unfortunately I never see an encrypted packet leaving the ASA on the outside interface and no Tx on the VPN monitor.
I've checked Packet Tracer and the ASA expects the traffic to be tunnelled... really not sure why this has suddenly stopped working since Friday, it's unlikley that anybody has fiddled with the box. The relevant config is attached.
Any suggestions welcome!
name 10.10.0.0 RB_VLANS
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.0.0 RB_VLANS 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 RB_VLANS 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.0.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 82.109.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
aw-fw# sho ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
aw-fw up 32 days 22 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is f866.f257.500e, irq 11
1: Ext: Ethernet0/0 : address is f866.f257.5006, irq 255
2: Ext: Ethernet0/1 : address is f866.f257.5007, irq 255
3: Ext: Ethernet0/2 : address is f866.f257.5008, irq 255
4: Ext: Ethernet0/3 : address is f866.f257.5009, irq 255
5: Ext: Ethernet0/4 : address is f866.f257.500a, irq 255
6: Ext: Ethernet0/5 : address is f866.f257.500b, irq 255
7: Ext: Ethernet0/6 : address is f866.f257.500c, irq 255
8: Ext: Ethernet0/7 : address is f866.f257.500d, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.