I am working on a issue with the ASA 8.3(1).
The issue is i have VPN client users connecting to the outside interface. Once they connect they are given an ip range. Now once they connect the VPN there is another interface in the same ASA DMZ. They aren't able to access the DMZ server. I am posting the related NAT configuration , output from Packettracer and the log outputs.
nat (outside,dmz1) source static CiscoVPNClient CiscoVPNClient destination static obj-192.165.204.128 obj-192.165.204.128
#packet-tracer input outside tcp 172.31.200.18 1025 192.165.204.181 $
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacbf9200, priority=1, domain=permit, deny=false
hits=849856029, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip host 172.31.200.18 host 192.165.204.181
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf9685b0, priority=13, domain=permit, deny=false
hits=18, user_data=0xa907ad00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.31.200.18, mask=255.255.255.255, port=0
dst ip/id=RISTKFTP302, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacc839d0, priority=0, domain=inspect-ip-options, deny=true
hits=6090695, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacd277f0, priority=20, domain=lu, deny=false
hits=213507, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad757fb8, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=4793766, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,dmz1) source static CiscoVPNClient CiscoVPNClient destination static obj-192.165.204.128 obj-192.165.204.128
Additional Information:
Static translate 172.31.200.18/1025 to 172.31.200.18/1025
Forward Flow based lookup yields rule:
in id=0xaf621bb8, priority=6, domain=nat, deny=false
hits=1, user_data=0xaf665db0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.31.200.0, mask=255.255.252.0, port=0
dst ip/id=192.165.204.128, mask=255.255.255.192, port=0, dscp=0x0
input_ifc=outside, output_ifc=dmz1
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network RISTKFTP302
nat (dmz1,outside) static RISTKFTP302
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad830d50, priority=6, domain=nat-reverse, deny=false
hits=1063, user_data=0xad830630, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=RISTKFTP302, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=dmz1
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Can anyone of you help me here please. I tried lot of combinations but still no luck.
