ASA failed to pass the local subnet to IPSec Tunnel

Kurt Lei — Tue, 12 Mar 2019 06:05:36 GMT

Hi All,

I found the LAN subnet (10.131.1.0/24) can pass the traffic via IPSec tunnel to 10.130.8.0/24. However, The local Inside subnet (10.131.3.0/24) can't pass the traffic through IPSec tunnel. I really don't have any idea on this issue as only the ASA subnet can't pass through. Hope someone can help me to check. Thanks.

LAN subnet --- Switch --- ASA 8.0 -------- (LAN-to-LAN IPSec) --------Cisco VPN Router ------ 10.130.8.0/24

LAN Subnet: 10.131.1.0/24
ASA Inside Interface: 10.131.3.2/24

==============================================================================================================

ASA Configuration

name 10.131.0.0 Internal

access-list inside_nat0_outbound extended permit ip Internal 255.255.0.0 10.130.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.0.0.0

access-list outside_4_cryptomap extended permit ip Internal 255.255.0.0 10.130.0.0 255.255.0.0

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer xx.xx.xx.xx

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set reverse-route

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map inside-policy

class httptraffic

inspect http http_inspection_policy

service-policy global_policy global

service-policy inside-policy interface inside

==============================================================================================================

VPN router Configuration

crypto map outside_map 13118 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA
set pfs group2
match address outside_cryptomap_13118

ip access-list extended outside_cryptomap_13118
permit ip 10.130.1.0 0.0.0.255 10.131.0.0 0.0.255.255
permit ip 10.130.9.0 0.0.0.255 10.131.0.0 0.0.255.255
permit ip 10.130.193.0 0.0.0.255 10.131.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 10.131.0.0 0.0.255.255
permit ip 10.130.8.0 0.0.0.255 10.131.0.0 0.0.255.255

======================================================================================================

Traceroute Output from ASA

ASA# traceroute 10.130.8.248

Type escape sequence to abort.

Tracing the route to 10.130.8.248

1 210.172.221.203.static.comindico.com.au (203.221.172.210) 0 msec 10 msec 0 msec

2 se6-7.wsr03-kent-syd.comindico.com.au (203.194.33.209) 20 msec 0 msec 0 msec

3 75.112.220.203.unassigned.comindico.com.au (203.220.112.75) 10 msec 0 msec 0 msec

4 75.112.220.203.unassigned.comindico.com.au (203.220.112.75) 0 msec 0 msec 0 msec

5 syd-sot-ken-crt1-pos0-2-2-0.tpgi.com.au (202.7.162.245) 10 msec 10 msec 0 msec

6 syd-pow-cla-crt1-ge-6-0-0.tpgi.com.au (203.29.135.34) !H * !H

ASA# traceroute 10.130.8.248 source 10.131.3.2

Type escape sequence to abort.

Tracing the route to 10.130.8.248

1 * * *

2 * * *

3 * * *

4 * *

=========================================================================================================

Packet Tracer Output

ASA# packet-tracer input inside icmp 10.131.3.2 8 0 10.130.8.248

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in HKES3-130 255.255.0.0 outside

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.131.3.2 255.255.255.255 identity

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

ASA# packet-tracer in in udp 10.131.3.2 161 10.130.8.248 161

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in HKES3-130 255.255.0.0 outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.131.3.2 255.255.255.255 identity

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

ASA1# packet-tracer in in udp 10.131.3.2 162 10.130.8.248 162

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in HKES3-130 255.255.0.0 outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.131.3.2 255.255.255.255 identity

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

Hi,Try a Packet trace without

Vibhor Amrodia — Thu, 11 Jun 2015 16:50:53 GMT

Hi,

Try a Packet trace without using the Interface IP of the ASA device (10.131.3.2).

Thanks and Regards,

Vibhor Amrodia

topic ASA failed to pass the local subnet to IPSec Tunnel in Network Security

ASA failed to pass the local subnet to IPSec Tunnel

Hi,Try a Packet trace without