Solved

Cisco ASA to Draytek 2820 VPN connected but wont pass traffic

Posted on 2011-09-06
5
1,052 Views
Last Modified: 2012-05-12
We have a cisco ASA with a IPSEC tunnel up and connected to a Draytek 2820 but we are unable to pass any traffic over the connection.  We have set the ASA back to default and set up the tunnel via the wizard again and the tunnel comes up but we can still not pass traffic over it.  

ASA Version 8.3(1)
!
hostname ciscoasa
enable password ##### encrypted
passwd ###### encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.33.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7X.8X.1XX.1XX 255.255.240.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network SiteB
 subnet 192.168.1.0 255.255.255.0
object network SiteA
 subnet 192.168.33.0 255.255.255.0
object-group protocol IP_ICMP
 protocol-object ip
 protocol-object icmp
access-list outside_1_cryptomap extended permit ip 192.168.33.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit object-group IP_ICMP object SiteA object SiteB
access-list inside_access_in extended permit object-group IP_ICMP object SiteB object SiteA
access-list inside_access_in extended permit object-group IP_ICMP 192.168.33.0 255.255.255.0 any
access-list outside_access_in extended permit object-group IP_ICMP object SiteB object SiteA
access-list outside_access_in extended permit object-group IP_ICMP object SiteA object SiteB
pager lines 24
logging enable
logging asdm informational
mtu outside 1460
mtu inside 1460
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 7X.8X.1XX.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.33.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 9X.1XX.2X.1XX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet 192.168.33.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.33.5-192.168.33.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 9X.1XX.2X.1XX type ipsec-l2l
tunnel-group 9X.1XX.2X.1XX ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:greg_voller
  • 3
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36489329
Anything showing in the logs?
0
 

Author Comment

by:greg_voller
ID: 36489411
Not that we can see.  Below is the out put of "sh crypto ipsec sa"

sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 7X.8X.1XX.1XX

      access-list outside_1_cryptomap extended permit ip 192.168.33.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.33.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 9X.1XX.2X.1XX

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7X.8X.1XX.1XX/0, remote crypto endpt.: 9X.1XX.2X.1XX/0
      path mtu 1440, ipsec overhead 58, media mtu 1500
      current outbound spi: C964B2A6
      current inbound spi : 1460B370

    inbound esp sas:
      spi: 0x1460B370 (341881712)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 28672, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 2863
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00001FFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xC964B2A6 (3378819750)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 28672, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 2863
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36489602
Coulde you try and remove: nat (inside,outside) source dynamic any interface
0
 

Author Closing Comment

by:greg_voller
ID: 36489799
Hi Erniebeek

After reordering the NAT rule so that the VPN NAT rule came first the traffic flowed.

Thank you very much
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36489935
Glad I could help :)
Thx for the points.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now