troubleshooting Question

Easy VPN server and client up, but no traffic

Avatar of butler741
butler741 asked on
VPN
1 Comment1 Solution759 ViewsLast Modified:
I have (2) 5505 ASA 8.4(3) with one static IP and one Dynamic IP per side.

I got the IPSec tunnel up using Easy VPN.

Here is the problem:

From the server side I can ping from the inside interface to the outside interface of remote.
-and-
From the remote side I can ping from the outside interface to the inside interface of the server.

Am I missing something? How am I supposed to get the traffic to pass on both sides?  
Are you supposed to PAT from the inside network to the outside interface on the remote?

Any help would be appreciated.


Here is some info:
Remote Side connects to ISP with DHCP and gets outside address of 198.243.x.x
The Remote Inside Network is: 172.16.x.x
The Server side Peer is: 50.78.x.x

This is from Remote side:   show cry ip sa peer 50.78.x.x


peer address: 50.78.x.x
    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 198.243.x.x

      access-list _vpnc_acl extended permit ip 172.16.x.x 255.255.248.0 any
      local ident (addr/mask/prot/port): (172.16.x.x/255.255.248.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 50.78.x.x, username: 50.78.x.x
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 198.243.x.x/4500, remote crypto endpt.: 50.78.x.x/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: EE77C431
      current inbound spi : D64C2295

    inbound esp sas:
      spi: 0xD64C2295 (3595313813)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, PFS Group 2, }
         slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 8583
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xEE77C431 (4000826417)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, PFS Group 2, }
         slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 8583
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 198.243.x.x

      access-list _vpnc_acl extended permit ip host 198.243.3.10 any
      local ident (addr/mask/prot/port): (198.243.x.x/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 50.78.x.x, username: 50.78.x.x
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53
      #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 53, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 198.243.x.x/4500, remote crypto endpt.: 50.78.x.x/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 8191B657
      current inbound spi : DE8675E5

    inbound esp sas:
      spi: 0xDE8675E5 (3733353957)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, PFS Group 2, }
         slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 8582
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x03FFFFFF
    outbound esp sas:
      spi: 0x8191B657 (2173810263)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, PFS Group 2, }
         slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 8566
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
ASKER CERTIFIED SOLUTION
butler741

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros