[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4685
  • Last Modified:

Cisco ASA IPsec VPN Encrypt/Decrypts Only Happening on one side

I have an issue where packet encrypt/decrypt is only happening on one side.  When I view the "sh ipsec sa" command, I only see encryption(corp) on one side and decryption(remote site) on the other side.  There is nothing happening on the other side.  The IKE and IPsec Tunnels are being established, but just can't pass any data because it will not return the one way.

I believe this is due to a NAT issue, but can't for the life of me seem to figure it out.  I have 12 other active L2L connections on our Corp Office router.  I have been working on this issue for over three days and have attempted to recreate the connection many times through both the CLI and ASDM wizard, but no luck.  I am at a loss and have tried everything I know possible.  The syslogs are all showing a successful phase 1 and 2 completion.   I'm know things should be good for nat on the CO router since all the other connections are working properly.  I have compared the remote router's config to working remote sites and they are all configured almost identically.

Does anyone know how to resolve this matter an what commands it might take?  I have attached part of the configs from both sites that are related to the VPN, ACL and NAT configs.

Remote Site (which is decrypting properly)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac
crypto map IPSECMAP 100 match address crypto
crypto map IPSECMAP 100 set peer 216.x.x.x
crypto map IPSECMAP 100 set transform-set strong
crypto map IPSECMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 4
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
tunnel-group 216.x.x.x type ipsec-l2l
tunnel-group 216.x.x.x ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-list crypto extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MATCH extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0


Corp Office (which is encrypting properly)
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound

crypto map outside_map 193 match address outside_193_cryptomap
crypto map outside_map 193 set peer 72.x.x.x
crypto map outside_map 193 set transform-set strong


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list outside_193_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.8.0 255.255.255.0

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
0
m1010
Asked:
m1010
1 Solution
 
gavvingCommented:
So this behavior means that traffic is flowing from the corp office to the remote office, but not back.  The access-lists for the VPN and the NAT look fine, so lets check other possible issues.

Is the 10.1.8.0/24 network a locally attached network on the remote end, or are you routing to it through a router?  From the remote end are you able to ping a device on the 10.1.8.0/24 network?

What does the route table look like on both ends?  Is there a static route that might be routing traffic incorrectly?  'show run route' will show us the route configurations.

Have you tried a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations you have to 'clear xlate' before the previous NAT configuration is cleared and the new one works.

0
 
Ernie BeekCommented:
So what's the reason you put these in (at the corp office)?

nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
0
 
m1010Author Commented:
Gavving,

That was it... I entered "clear xlate" and everything came up properly.  This problem has been driving me crazy, as I saw all the correct ACL and NAT's being hit while successfully form the IKE and IPsec tunnels.  I'm suprised that didn't get cleared when rebooting, but everything seems to be working great now.

Thank you very much for all of your assistance.  I was at a loss of what else to try.  I sincerely appreciate all of your help and wish I could give you more than 500 points for saving my a**!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now