Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Cisco ASA IPsec VPN Encrypt/Decrypts Only Happening on one side

Posted on 2011-02-10
Last Modified: 2012-05-11
I have an issue where packet encrypt/decrypt is only happening on one side.  When I view the "sh ipsec sa" command, I only see encryption(corp) on one side and decryption(remote site) on the other side.  There is nothing happening on the other side.  The IKE and IPsec Tunnels are being established, but just can't pass any data because it will not return the one way.

I believe this is due to a NAT issue, but can't for the life of me seem to figure it out.  I have 12 other active L2L connections on our Corp Office router.  I have been working on this issue for over three days and have attempted to recreate the connection many times through both the CLI and ASDM wizard, but no luck.  I am at a loss and have tried everything I know possible.  The syslogs are all showing a successful phase 1 and 2 completion.   I'm know things should be good for nat on the CO router since all the other connections are working properly.  I have compared the remote router's config to working remote sites and they are all configured almost identically.

Does anyone know how to resolve this matter an what commands it might take?  I have attached part of the configs from both sites that are related to the VPN, ACL and NAT configs.

Remote Site (which is decrypting properly)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac
crypto map IPSECMAP 100 match address crypto
crypto map IPSECMAP 100 set peer 216.x.x.x
crypto map IPSECMAP 100 set transform-set strong
crypto map IPSECMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 4
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
tunnel-group 216.x.x.x type ipsec-l2l
tunnel-group 216.x.x.x ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1

access-list crypto extended permit ip
access-list nonat extended permit ip
access-list 101 extended permit ip
access-list MATCH extended permit ip

Corp Office (which is encrypting properly)
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 1
nat (management) 0 access-list management_nat0_outbound

crypto map outside_map 193 match address outside_193_cryptomap
crypto map outside_map 193 set peer 72.x.x.x
crypto map outside_map 193 set transform-set strong

access-list nonat extended permit ip
access-list outside_193_cryptomap extended permit ip

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
Question by:m1010

Accepted Solution

gavving earned 500 total points
ID: 34868404
So this behavior means that traffic is flowing from the corp office to the remote office, but not back.  The access-lists for the VPN and the NAT look fine, so lets check other possible issues.

Is the network a locally attached network on the remote end, or are you routing to it through a router?  From the remote end are you able to ping a device on the network?

What does the route table look like on both ends?  Is there a static route that might be routing traffic incorrectly?  'show run route' will show us the route configurations.

Have you tried a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations you have to 'clear xlate' before the previous NAT configuration is cleared and the new one works.

LVL 35

Expert Comment

by:Ernie Beek
ID: 34870265
So what's the reason you put these in (at the corp office)?

nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside

Author Closing Comment

ID: 34871337

That was it... I entered "clear xlate" and everything came up properly.  This problem has been driving me crazy, as I saw all the correct ACL and NAT's being hit while successfully form the IKE and IPsec tunnels.  I'm suprised that didn't get cleared when rebooting, but everything seems to be working great now.

Thank you very much for all of your assistance.  I was at a loss of what else to try.  I sincerely appreciate all of your help and wish I could give you more than 500 points for saving my a**!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question