KB ID 0000759
Problem
The title of this article can cover a multitude of possible causes, however I recently had a strange problem where a client with a remote site protected by an ASA5505 had a VPN tunnel connected to their main site which had an ASA5510. The tunnel established at phase 1, and phase 2, the main site could talk to the remote site, but the remote site refused to talk back to the main site.
Update 23/04/19: Seen again this time, the ASA at the ‘problem end’ had a static route pointing 10.0.0.0/8 internally, but VPN traffic needed to get to 10.4.0.0/24 at the other end of the VPN tunnel, so traffic was reputed back into the LAN again and dropped.
Update 13/08/14: Seen again, this time from ASA at the problem end, I could ‘ping inside {IP at the remote site}’ and get a response, and the tunnel established. But internal clients could not send traffic over the VPN.
Solution
Usually if you can only “Establish” a tunnel from one side, and it still works, the culprit is normally that PFS has only been specified at one end of the tunnel. On both ends issue a ‘show run crypto map’ command and make sure both ends either use PFS or do not use PFS.
[box]
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 123.123.123.123
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA[/box]
However in this case there was a ‘Rogue NAT entry’ on the ASA5505, that looks like a throwback from an OS upgrade.
[box]
nat (inside,outside) source static LocalSN LocalSN destination static Site1SN Site1SN
nat (inside,outside) source static LocalSN LocalSN destination static Site2SN Site2SN
nat (inside,outside) source static LocalSN LocalSN destination static Site3SN Site3SN
nat (inside,outside) source static LocalSN LocalSN destination static Site4SN Site4SN
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static LocalSN LocalSN destination static Site5SN Site5SN
!
object network OBJ-NAT-ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface [/box]
Note: The line in red should not have been there. The last three lines are all you need (Note: your object may be called obj_any).
You can see why it’s causing a problem if you do a packet-trace on some traffic, (see the two examples below).
Packet-Tracer Results (Misconfigured)
[box]
PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic any interface <Problem! Additional Information: Dynamic translate 192.168.2.2/0 to 123.123.123.123/21205 <Problem! Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic any interface <Problem! Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 32065, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow [/box]
Packet-Tracer Results (Configured Correctly)
[box]
PetesASA# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.1 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup < That's Better! Additional Information: NAT divert to egress interface outside Untranslate 192.168.1.1/0 to 192.168.1.1/0 < That's Better! Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup < That's Better! Additional Information: Static translate 192.168.2.2/0 to 192.168.2.2/0 < That's Better! Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 10 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup < That's Better! Additional Information: Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 13 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 14 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 15 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 33263, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow [/box]
Related Articles, References, Credits, or External Links
Cisco ASA Site to Site VPN’s Site to Site ISAKMP VPN (Main Mode)
Original Article Written 05/02/13