alt.certification.cisco
Affichage de l'article :
Re: Site-to-Site VPN routing?

Date : Le 01 avril 2008
From : Walter Roberson
Sujet : Re: Site-to-Site VPN routing?

In article , steveb wrote:

>Cisco ASA 8, ASDM 6.

>I set up a IPSEC shared secret VPN with a customer.

>The tunnel comes up fine, but I do not believe that any traffic is crossing it.

>Pings fail, etc.

>Looking at the log, I see the tunnel come up. Phase 1 and 2 successful.

>Is there a trick to get the traffic to flow across the VPN??

A common problem in such cases would be a mismatch between the
NAT definitions and the tunnel access-list definitions. The access
lists defined for the tunnel must be written in terms of what
would be on the wire *after* NAT takes place (for outgoing packets)
or before NAT takes place (for incoming packets).

Another issue is that listing traffic in a tunnel access-list
does not automatically permit the traffic through the outside
access group. After the traffic has been de-encapsulated, but
before it is de-NAT'd, the interface access group 'in' is checked,
and only traffic that passes the access-group is permitted inward.
However, there is a command you can use that will permit this
access-group check to be bypassed for *all* traffic that arrives
via VPN.

In PIX 6, the command was

sysopt connection permit-ipsec

I see that by ASA 8, it is

sysopt connection permit-vpn

Posez vos questions, réponses et remarques sur les forums de FrameIP