Site-to-Site VPN routing?

Site-to-Site VPN routing?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Site-to-Site VPN routing? steveb 04-01-2008
Posted by steveb on April 1, 2008, 4:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Cisco ASA 8, ASDM 6.

I set up a IPSEC shared secret VPN with a customer.

The tunnel comes up fine, but I do not believe that any traffic is crossing it.

Pings fail, etc.

Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

Is there a trick to get the traffic to flow across the VPN??


Please advise, I am at my wits end on this one.




--
--
Steven

http://www.teamvie.ws





Posted by Walter Roberson on April 1, 2008, 5:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>Cisco ASA 8, ASDM 6.

>I set up a IPSEC shared secret VPN with a customer.

>The tunnel comes up fine, but I do not believe that any traffic is crossing it.

>Pings fail, etc.

>Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

>Is there a trick to get the traffic to flow across the VPN??

A common problem in such cases would be a mismatch between the
NAT definitions and the tunnel access-list definitions. The access
lists defined for the tunnel must be written in terms of what
would be on the wire *after* NAT takes place (for outgoing packets)
or before NAT takes place (for incoming packets).

Another issue is that listing traffic in a tunnel access-list
does not automatically permit the traffic through the outside
access group. After the traffic has been de-encapsulated, but
before it is de-NAT'd, the interface access group 'in' is checked,
and only traffic that passes the access-group is permitted inward.
However, there is a command you can use that will permit this
access-group check to be bypassed for *all* traffic that arrives
via VPN.

In PIX 6, the command was

sysopt connection permit-ipsec

I see that by ASA 8, it is

sysopt connection permit-vpn

Posted by News Reader on April 1, 2008, 6:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Walter Roberson wrote:
>
>> Cisco ASA 8, ASDM 6.
>
>> I set up a IPSEC shared secret VPN with a customer.
>
>> The tunnel comes up fine, but I do not believe that any traffic is crossing
it.
>
>> Pings fail, etc.
>
>> Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.
>
>> Is there a trick to get the traffic to flow across the VPN??
>
> A common problem in such cases would be a mismatch between the
> NAT definitions and the tunnel access-list definitions. The access
> lists defined for the tunnel must be written in terms of what
> would be on the wire *after* NAT takes place (for outgoing packets)
> or before NAT takes place (for incoming packets).
>

Cisco has a document that deals with NAT Order of Operations. Might be
good to refer to it.

> Another issue is that listing traffic in a tunnel access-list
> does not automatically permit the traffic through the outside
> access group. After the traffic has been de-encapsulated, but
> before it is de-NAT'd, the interface access group 'in' is checked,
> and only traffic that passes the access-group is permitted inward.
> However, there is a command you can use that will permit this
> access-group check to be bypassed for *all* traffic that arrives
> via VPN.

If you use the following as the last ACE (Access Control Entry) in your
interface ACLs:

deny ip any any log

... and examine the resulting syslog entries, you might get a better
handle on any ACL issues that exist.

Crypto ACLs need to be exactly mirrored, without exceptions.

If you can get a sniffer on the WAN side of your device, you might very
quickly determine if you have asymmetric operation as a result of crypto
ACLs not being correctly mirrored. Some traffic that you expect to be
encrypted, would not be, and it gets dropped.

>
> In PIX 6, the command was
>
> sysopt connection permit-ipsec
>
> I see that by ASA 8, it is
>
> sysopt connection permit-vpn

Best Regards,
News Reader

Similar ThreadsPosted
integrating new 3550 with routing into existing routing structure? March 1, 2005, 8:06 am
intervlan routing and policy routing C3750 or C 4948 October 20, 2005, 12:38 am
PIX routing help? December 18, 2004, 8:10 am
Routing on 837 December 27, 2004, 1:57 pm
IPX routing February 28, 2005, 9:20 am
Routing PIX 515 6.3 June 26, 2005, 11:38 am
IP Routing Help June 27, 2005, 2:31 pm
VPN routing... July 3, 2005, 8:17 pm
Pix VPN and routing August 26, 2005, 2:26 pm
Again: Pix VPN & Routing August 29, 2005, 4:27 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map