Cisco ASA IPsec VPN Encrypt/Decrypts Only Happening on one side

Posted on 2011-02-10
Last Modified: 2012-05-11
I have an issue where packet encrypt/decrypt is only happening on one side.  When I view the "sh ipsec sa" command, I only see encryption(corp) on one side and decryption(remote site) on the other side.  There is nothing happening on the other side.  The IKE and IPsec Tunnels are being established, but just can't pass any data because it will not return the one way.

I believe this is due to a NAT issue, but can't for the life of me seem to figure it out.  I have 12 other active L2L connections on our Corp Office router.  I have been working on this issue for over three days and have attempted to recreate the connection many times through both the CLI and ASDM wizard, but no luck.  I am at a loss and have tried everything I know possible.  The syslogs are all showing a successful phase 1 and 2 completion.   I'm know things should be good for nat on the CO router since all the other connections are working properly.  I have compared the remote router's config to working remote sites and they are all configured almost identically.

Does anyone know how to resolve this matter an what commands it might take?  I have attached part of the configs from both sites that are related to the VPN, ACL and NAT configs.

Remote Site (which is decrypting properly)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac
crypto map IPSECMAP 100 match address crypto
crypto map IPSECMAP 100 set peer 216.x.x.x
crypto map IPSECMAP 100 set transform-set strong
crypto map IPSECMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 4
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
tunnel-group 216.x.x.x type ipsec-l2l
tunnel-group 216.x.x.x ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1

access-list crypto extended permit ip
access-list nonat extended permit ip
access-list 101 extended permit ip
access-list MATCH extended permit ip

Corp Office (which is encrypting properly)
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 1
nat (management) 0 access-list management_nat0_outbound

crypto map outside_map 193 match address outside_193_cryptomap
crypto map outside_map 193 set peer 72.x.x.x
crypto map outside_map 193 set transform-set strong

access-list nonat extended permit ip
access-list outside_193_cryptomap extended permit ip

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
Question by:m1010
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

gavving earned 500 total points
ID: 34868404
So this behavior means that traffic is flowing from the corp office to the remote office, but not back.  The access-lists for the VPN and the NAT look fine, so lets check other possible issues.

Is the network a locally attached network on the remote end, or are you routing to it through a router?  From the remote end are you able to ping a device on the network?

What does the route table look like on both ends?  Is there a static route that might be routing traffic incorrectly?  'show run route' will show us the route configurations.

Have you tried a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations you have to 'clear xlate' before the previous NAT configuration is cleared and the new one works.

LVL 35

Expert Comment

by:Ernie Beek
ID: 34870265
So what's the reason you put these in (at the corp office)?

nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside

Author Closing Comment

ID: 34871337

That was it... I entered "clear xlate" and everything came up properly.  This problem has been driving me crazy, as I saw all the correct ACL and NAT's being hit while successfully form the IKE and IPsec tunnels.  I'm suprised that didn't get cleared when rebooting, but everything seems to be working great now.

Thank you very much for all of your assistance.  I was at a loss of what else to try.  I sincerely appreciate all of your help and wish I could give you more than 500 points for saving my a**!

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question