butler741
asked on
Easy VPN server and client up, but no traffic
I have (2) 5505 ASA 8.4(3) with one static IP and one Dynamic IP per side.
I got the IPSec tunnel up using Easy VPN.
Here is the problem:
From the server side I can ping from the inside interface to the outside interface of remote.
-and-
From the remote side I can ping from the outside interface to the inside interface of the server.
Am I missing something? How am I supposed to get the traffic to pass on both sides?
Are you supposed to PAT from the inside network to the outside interface on the remote?
Any help would be appreciated.
Here is some info:
Remote Side connects to ISP with DHCP and gets outside address of 198.243.x.x
The Remote Inside Network is: 172.16.x.x
The Server side Peer is: 50.78.x.x
This is from Remote side: show cry ip sa peer 50.78.x.x
peer address: 50.78.x.x
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 198.243.x.x
access-list _vpnc_acl extended permit ip 172.16.x.x 255.255.248.0 any
local ident (addr/mask/prot/port): (172.16.x.x/255.255.248.0/ 0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 50.78.x.x, username: 50.78.x.x
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.243.x.x/4500, remote crypto endpt.: 50.78.x.x/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: EE77C431
current inbound spi : D64C2295
inbound esp sas:
spi: 0xD64C2295 (3595313813)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8583
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEE77C431 (4000826417)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8583
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 198.243.x.x
access-list _vpnc_acl extended permit ip host 198.243.3.10 any
local ident (addr/mask/prot/port): (198.243.x.x/255.255.255.2 55/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 50.78.x.x, username: 50.78.x.x
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53
#pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 53, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.243.x.x/4500, remote crypto endpt.: 50.78.x.x/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 8191B657
current inbound spi : DE8675E5
inbound esp sas:
spi: 0xDE8675E5 (3733353957)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8582
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x03FFFFFF
outbound esp sas:
spi: 0x8191B657 (2173810263)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8566
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I got the IPSec tunnel up using Easy VPN.
Here is the problem:
From the server side I can ping from the inside interface to the outside interface of remote.
-and-
From the remote side I can ping from the outside interface to the inside interface of the server.
Am I missing something? How am I supposed to get the traffic to pass on both sides?
Are you supposed to PAT from the inside network to the outside interface on the remote?
Any help would be appreciated.
Here is some info:
Remote Side connects to ISP with DHCP and gets outside address of 198.243.x.x
The Remote Inside Network is: 172.16.x.x
The Server side Peer is: 50.78.x.x
This is from Remote side: show cry ip sa peer 50.78.x.x
peer address: 50.78.x.x
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 198.243.x.x
access-list _vpnc_acl extended permit ip 172.16.x.x 255.255.248.0 any
local ident (addr/mask/prot/port): (172.16.x.x/255.255.248.0/
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 50.78.x.x, username: 50.78.x.x
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.243.x.x/4500, remote crypto endpt.: 50.78.x.x/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: EE77C431
current inbound spi : D64C2295
inbound esp sas:
spi: 0xD64C2295 (3595313813)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8583
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEE77C431 (4000826417)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8583
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 198.243.x.x
access-list _vpnc_acl extended permit ip host 198.243.3.10 any
local ident (addr/mask/prot/port): (198.243.x.x/255.255.255.2
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 50.78.x.x, username: 50.78.x.x
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53
#pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 53, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.243.x.x/4500, remote crypto endpt.: 50.78.x.x/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 8191B657
current inbound spi : DE8675E5
inbound esp sas:
spi: 0xDE8675E5 (3733353957)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8582
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x03FFFFFF
outbound esp sas:
spi: 0x8191B657 (2173810263)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 12562432, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 8566
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.