Cisco ASA VPN Query
- Thread starter ashrobbo
- Start date
The route shouldn't be needed, both ends of the cryptomap need to inversely match contents, try this to prevent return traffic being nat'ed from the UK side:
UK
no route inside 192.168.253.0 255.255.255.0 192.168.88.254 1
object network NETWORK_OBJ_192.168.253.0_24
subnet 192.168.253.0 255.255.255.0
nat (inside,Outside) source static NETWORK_OBJ_192.168.254.0_24 NETWORK_OBJ_192.168.254.0_24 destination static NETWORK_OBJ_192.168.253.0_24 NETWORK_OBJ_192.168.253.0_24 no-proxy-arp
access-list Outside_cryptomap_2 extended permit ip 192.168.254.0 255.255.255.0 192.168.253.0 255.255.255.0
EU:
access-list crymap_4 extended permit ip 192.168.253.0 255.255.255.0 UKnet 255.255.255.0
UK
no route inside 192.168.253.0 255.255.255.0 192.168.88.254 1
object network NETWORK_OBJ_192.168.253.0_24
subnet 192.168.253.0 255.255.255.0
nat (inside,Outside) source static NETWORK_OBJ_192.168.254.0_24 NETWORK_OBJ_192.168.254.0_24 destination static NETWORK_OBJ_192.168.253.0_24 NETWORK_OBJ_192.168.253.0_24 no-proxy-arp
access-list Outside_cryptomap_2 extended permit ip 192.168.254.0 255.255.255.0 192.168.253.0 255.255.255.0
EU:
access-list crymap_4 extended permit ip 192.168.253.0 255.255.255.0 UKnet 255.255.255.0
Thanks Pre - made the changes but no difference im afraid - the UKnet alias is an old one so i replaced with 192.168.254.0 - everything else went in OK.
Im looking at the UK ASA traffic monitor and cant see any traffic from 192.168.253.0 when im connected via VPN.. any further ideas?
both ASA's are inherited - looks like theres a lot of old stuff in there which may be over complicating the setup - im wondering whether to get somebody in just to re-write the configs.
I try and use the ASDM where possible - much easier for my fear of cisco.
Im looking at the UK ASA traffic monitor and cant see any traffic from 192.168.253.0 when im connected via VPN.. any further ideas?
both ASA's are inherited - looks like theres a lot of old stuff in there which may be over complicating the setup - im wondering whether to get somebody in just to re-write the configs.
I try and use the ASDM where possible - much easier for my fear of cisco.
The only thing that stands out is that the UK end of the access-list isn't an inverse of the EU end (eg 255.255.252.0 vs 255.255.255.0) which could do be causing issues with bringing up a second tunnel (try fixing this).
Ping from a VPN client to a UK IP. Run the following from the EU ASA and confirm if you see any packets encapsulated/de-encapsulated:
sh crypto ipsec sa peer ASA_UK
Do same from UK end with EU address and see if there is an IPSsec tunnel is being built for 192.168.253.0.
If so run:
packet-tracer outside tcp 192.168.253.1 55555 192.168.254.1 3389 and check it passes.
If so check the VPN client has route for 192.168.254.0/24.
Ping from a VPN client to a UK IP. Run the following from the EU ASA and confirm if you see any packets encapsulated/de-encapsulated:
sh crypto ipsec sa peer ASA_UK
Do same from UK end with EU address and see if there is an IPSsec tunnel is being built for 192.168.253.0.
If so run:
packet-tracer outside tcp 192.168.253.1 55555 192.168.254.1 3389 and check it passes.
If so check the VPN client has route for 192.168.254.0/24.