Solved

Cisco ASA IPsec VPN Encrypt/Decrypts Only Happening on one side

Posted on 2011-02-10
3
3,948 Views
Last Modified: 2012-05-11
I have an issue where packet encrypt/decrypt is only happening on one side.  When I view the "sh ipsec sa" command, I only see encryption(corp) on one side and decryption(remote site) on the other side.  There is nothing happening on the other side.  The IKE and IPsec Tunnels are being established, but just can't pass any data because it will not return the one way.

I believe this is due to a NAT issue, but can't for the life of me seem to figure it out.  I have 12 other active L2L connections on our Corp Office router.  I have been working on this issue for over three days and have attempted to recreate the connection many times through both the CLI and ASDM wizard, but no luck.  I am at a loss and have tried everything I know possible.  The syslogs are all showing a successful phase 1 and 2 completion.   I'm know things should be good for nat on the CO router since all the other connections are working properly.  I have compared the remote router's config to working remote sites and they are all configured almost identically.

Does anyone know how to resolve this matter an what commands it might take?  I have attached part of the configs from both sites that are related to the VPN, ACL and NAT configs.

Remote Site (which is decrypting properly)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac
crypto map IPSECMAP 100 match address crypto
crypto map IPSECMAP 100 set peer 216.x.x.x
crypto map IPSECMAP 100 set transform-set strong
crypto map IPSECMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 4
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
tunnel-group 216.x.x.x type ipsec-l2l
tunnel-group 216.x.x.x ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-list crypto extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MATCH extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0


Corp Office (which is encrypting properly)
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound

crypto map outside_map 193 match address outside_193_cryptomap
crypto map outside_map 193 set peer 72.x.x.x
crypto map outside_map 193 set transform-set strong


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list outside_193_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.8.0 255.255.255.0

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
0
Comment
Question by:m1010
3 Comments
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 34868404
So this behavior means that traffic is flowing from the corp office to the remote office, but not back.  The access-lists for the VPN and the NAT look fine, so lets check other possible issues.

Is the 10.1.8.0/24 network a locally attached network on the remote end, or are you routing to it through a router?  From the remote end are you able to ping a device on the 10.1.8.0/24 network?

What does the route table look like on both ends?  Is there a static route that might be routing traffic incorrectly?  'show run route' will show us the route configurations.

Have you tried a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations you have to 'clear xlate' before the previous NAT configuration is cleared and the new one works.

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34870265
So what's the reason you put these in (at the corp office)?

nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
0
 

Author Closing Comment

by:m1010
ID: 34871337
Gavving,

That was it... I entered "clear xlate" and everything came up properly.  This problem has been driving me crazy, as I saw all the correct ACL and NAT's being hit while successfully form the IKE and IPsec tunnels.  I'm suprised that didn't get cleared when rebooting, but everything seems to be working great now.

Thank you very much for all of your assistance.  I was at a loss of what else to try.  I sincerely appreciate all of your help and wish I could give you more than 500 points for saving my a**!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now