|
|
alt.certification.cisco
Discussion complète de l'article :
Site-to-Site VPN routing?
|
Article :
57200
Date :
01-04-2008
From :
steveb
Sujet :
Site-to-Site VPN routing?
Cisco ASA 8, ASDM 6.
I set up a IPSEC shared secret VPN with a customer.
The tunnel comes up fine, but I do not believe that any traffic is crossing it.
Pings fail, etc.
Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.
Is there a trick to get the traffic to flow across the VPN??
Please advise, I am at my wits end on this one.
--
--
Steven
http://www.teamvie.ws
Posez vos questions, réponses et remarques sur
les forums de FrameIP
|
|
Article :
57201
Date :
01-04-2008
From :
Walter Roberson
Sujet :
Re: Site-to-Site VPN routing?
In article , steveb wrote:
>Cisco ASA 8, ASDM 6.
>I set up a IPSEC shared secret VPN with a customer.
>The tunnel comes up fine, but I do not believe that any traffic is crossing it.
>Pings fail, etc.
>Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.
>Is there a trick to get the traffic to flow across the VPN??
A common problem in such cases would be a mismatch between the
NAT definitions and the tunnel access-list definitions. The access
lists defined for the tunnel must be written in terms of what
would be on the wire *after* NAT takes place (for outgoing packets)
or before NAT takes place (for incoming packets).
Another issue is that listing traffic in a tunnel access-list
does not automatically permit the traffic through the outside
access group. After the traffic has been de-encapsulated, but
before it is de-NAT'd, the interface access group 'in' is checked,
and only traffic that passes the access-group is permitted inward.
However, there is a command you can use that will permit this
access-group check to be bypassed for *all* traffic that arrives
via VPN.
In PIX 6, the command was
sysopt connection permit-ipsec
I see that by ASA 8, it is
sysopt connection permit-vpn
Posez vos questions, réponses et remarques sur
les forums de FrameIP
|
|
Article :
57202
Date :
02-04-2008
From :
News Reader
Sujet :
Re: Site-to-Site VPN routing?
Walter Roberson wrote:
> In article , steveb wrote:
>
>> Cisco ASA 8, ASDM 6.
>
>> I set up a IPSEC shared secret VPN with a customer.
>
>> The tunnel comes up fine, but I do not believe that any traffic is crossing it.
>
>> Pings fail, etc.
>
>> Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.
>
>> Is there a trick to get the traffic to flow across the VPN??
>
> A common problem in such cases would be a mismatch between the
> NAT definitions and the tunnel access-list definitions. The access
> lists defined for the tunnel must be written in terms of what
> would be on the wire *after* NAT takes place (for outgoing packets)
> or before NAT takes place (for incoming packets).
>
Cisco has a document that deals with NAT Order of Operations. Might be
good to refer to it.
> Another issue is that listing traffic in a tunnel access-list
> does not automatically permit the traffic through the outside
> access group. After the traffic has been de-encapsulated, but
> before it is de-NAT'd, the interface access group 'in' is checked,
> and only traffic that passes the access-group is permitted inward.
> However, there is a command you can use that will permit this
> access-group check to be bypassed for *all* traffic that arrives
> via VPN.
If you use the following as the last ACE (Access Control Entry) in your
interface ACLs:
deny ip any any log
.... and examine the resulting syslog entries, you might get a better
handle on any ACL issues that exist.
Crypto ACLs need to be exactly mirrored, without exceptions.
If you can get a sniffer on the WAN side of your device, you might very
quickly determine if you have asymmetric operation as a result of crypto
ACLs not being correctly mirrored. Some traffic that you expect to be
encrypted, would not be, and it gets dropped.
>
> In PIX 6, the command was
>
> sysopt connection permit-ipsec
>
> I see that by ASA 8, it is
>
> sysopt connection permit-vpn
Best Regards,
News Reader
Posez vos questions, réponses et remarques sur
les forums de FrameIP
|
|
|