Cisco ASA 5500 – VPN Works in One Direction

KB ID 0000759 Dtd 13/08/14

Problem

The title of this article can cover a multitude of possible causes, however I recently had a strange problem where a client with a remote site protected by an ASA5505 had a VPN tunnel connected to their main site which had an ASA5510. The tunnel established at phase 1, and phase 2, the main site could talk to the remote site, but the remote site refused to talk back to the main site.

Update 13/08/14: Seen again, this time from ASA at the problem end, I could ‘ping inside {IP at the remote site}’ and get a response, and the tunnel established. But internal clients could not send traffic over the VPN.

Solution

Usually if you can only "Establish" a tunnel from one side, and it still works, the culprit is normally that PFS has only been specified at one end of the tunnel. On both ends issue a ‘show run crypto map’ command and make sure both ends either use PFS or do not use PFS.

crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 123.123.123.123 crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

However in this case there was a ‘Rogue NAT entry’ on the ASA5505, that looks like a throwback from an OS upgrade.

nat (inside,outside) source static LocalSN LocalSN destination static Site1SN Site1SN nat (inside,outside) source static LocalSN LocalSN destination static Site2SN Site2SN nat (inside,outside) source static LocalSN LocalSN destination static Site3SN Site3SN nat (inside,outside) source static LocalSN LocalSN destination static Site4SN Site4SN nat (inside,outside) source dynamic any interface nat (inside,outside) source static LocalSN LocalSN destination static Site5SN Site5SN ! object network OBJ-NAT-ALL subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface


Note
: The line in red should not have been there. The last three lines are all you need (Note: your object may be called obj_any).

You can see why it’s causing a problem if you do a packet-trace on some traffic, (see the two examples below).

Packet-Tracer Results (Misconfigured)

PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1

Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside

Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information:

Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information:

Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic any interface <Problem! Additional Information: Dynamic translate 192.168.2.2/0 to 123.123.123.123/21205 <Problem!

Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:

Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information:

Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information:

Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic any interface <Problem! Additional Information:

Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:

Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 32065, packet dispatched to next module

Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow

Packet-Tracer Results (Configured Correctly)

PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1

Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside

Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup < That’s Better! Additional Information: NAT divert to egress interface outside Untranslate 192.168.1.1/0 to 192.168.1.1/0 < That’s Better!

Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information:

Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information:

Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup < That’s Better! Additional Information: Static translate 192.168.2.2/0 to 192.168.2.2/0 < That’s Better!

Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:

Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information:

Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information:

Phase: 10 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information:

Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup < That’s Better! Additional Information:

Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information:

Phase: 13 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:

Phase: 14 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 15 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 33263, packet dispatched to next module

Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow

Related Articles, References, Credits, or External Links

Cisco ASA Site to Site VPN’s Site to Site ISAKMP VPN (Main Mode)

Original Article Written 05/02/13

 

Author: Migrated

Share This Post On