[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco ASA IPsec VPN Encrypt/Decrypts Only Happening on one side

Posted on 2011-02-10
3
Medium Priority
?
4,572 Views
Last Modified: 2012-05-11
I have an issue where packet encrypt/decrypt is only happening on one side.  When I view the "sh ipsec sa" command, I only see encryption(corp) on one side and decryption(remote site) on the other side.  There is nothing happening on the other side.  The IKE and IPsec Tunnels are being established, but just can't pass any data because it will not return the one way.

I believe this is due to a NAT issue, but can't for the life of me seem to figure it out.  I have 12 other active L2L connections on our Corp Office router.  I have been working on this issue for over three days and have attempted to recreate the connection many times through both the CLI and ASDM wizard, but no luck.  I am at a loss and have tried everything I know possible.  The syslogs are all showing a successful phase 1 and 2 completion.   I'm know things should be good for nat on the CO router since all the other connections are working properly.  I have compared the remote router's config to working remote sites and they are all configured almost identically.

Does anyone know how to resolve this matter an what commands it might take?  I have attached part of the configs from both sites that are related to the VPN, ACL and NAT configs.

Remote Site (which is decrypting properly)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac
crypto map IPSECMAP 100 match address crypto
crypto map IPSECMAP 100 set peer 216.x.x.x
crypto map IPSECMAP 100 set transform-set strong
crypto map IPSECMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 4
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
tunnel-group 216.x.x.x type ipsec-l2l
tunnel-group 216.x.x.x ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

access-list crypto extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MATCH extended permit ip 10.1.8.0 255.255.255.0 192.168.1.0 255.255.255.0


Corp Office (which is encrypting properly)
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound

crypto map outside_map 193 match address outside_193_cryptomap
crypto map outside_map 193 set peer 72.x.x.x
crypto map outside_map 193 set transform-set strong


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list outside_193_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.8.0 255.255.255.0

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
0
Comment
Question by:m1010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
gavving earned 2000 total points
ID: 34868404
So this behavior means that traffic is flowing from the corp office to the remote office, but not back.  The access-lists for the VPN and the NAT look fine, so lets check other possible issues.

Is the 10.1.8.0/24 network a locally attached network on the remote end, or are you routing to it through a router?  From the remote end are you able to ping a device on the 10.1.8.0/24 network?

What does the route table look like on both ends?  Is there a static route that might be routing traffic incorrectly?  'show run route' will show us the route configurations.

Have you tried a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations you have to 'clear xlate' before the previous NAT configuration is cleared and the new one works.

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34870265
So what's the reason you put these in (at the corp office)?

nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_inbound outside
0
 

Author Closing Comment

by:m1010
ID: 34871337
Gavving,

That was it... I entered "clear xlate" and everything came up properly.  This problem has been driving me crazy, as I saw all the correct ACL and NAT's being hit while successfully form the IKE and IPsec tunnels.  I'm suprised that didn't get cleared when rebooting, but everything seems to be working great now.

Thank you very much for all of your assistance.  I was at a loss of what else to try.  I sincerely appreciate all of your help and wish I could give you more than 500 points for saving my a**!
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question