Hey all,

I am trying to enable VPN access from the testing interface to the wifi interface. I get an implicit ACL drop in packet-tracer, and Deny IP spoof log messages, even though RPF is not enabled on either interface. VPN is currently working for hosts on the wifi interface, so I don't belive it's a VPN issue. Any help would be greatly appreciated.

Here's the relevant config:

! Log message about IP spoof
Feb 22 2016 11:10:01: %ASA-2-106016: Deny IP spoof from (10.1.225.51) to 172.20.16.2 on interface testing

! Wifi interface where VPN is enabled
interface GigabitEthernet1/0.121
description Wifi interface
vlan 121
nameif Wifi
security-level 0
ip address 172.20.16.2 255.255.240.0

! testing interface that needs access to VPN
interface GigabitEthernet1/1.225
vlan 225
nameif testing
security-level 50
ip address 10.1.225.1 255.255.255.0

same-security-traffic permit intra-interface
same-security-traffic permit inter-interface

! Gateway object for NAT and ACL entries
object network nWIFI_GATEWAY
subnet 172.20.16.0 255.255.240.0
description Wifi network default gateway

! Testing network for NAT and ACL entries
object network nTESTING
subnet 10.1.225.0 255.255.255.0
description Testing subnet

! NAT statements, may be redundant
nat (Wifi,testing) source static nWIFI_GATEWAY nWIFI_GATEWAY
nat (testing,Wifi) source static nTESTING nTESTING

! Wifi interface ACL
access-list acl_wifi_int extended permit ip any object nTESTING
access-list acl_wifi_int extended permit icmp any object nTESTING
access-list acl_wifi_int extended permit icmp object nTESTING any
access-list acl_wifi_int extended permit ip object nWIFI_GATEWAY object nTESTING
access-list acl_wifi_int extended permit ip object nTESTING object nWIFI_GATEWAY

! testing interface ACL
access-list testing_access_in extended permit ip any object nWIFI_GATEWAY
access-list testing_access_in extended permit icmp any any
access-list testing_access_in extended permit ip object nWIFI_GATEWAY any
access-list testing_access_in extended permit ip any any

! Packet-tracer output

packet-tracer input testing tcp 10.1.225.51 80 172.20.16.2 80 d

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e3c1da8, priority=13, domain=capture, deny=false
hits=11839, user_data=0x40616e38, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=testing, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x34f85da0, priority=1, domain=permit, deny=false
hits=23163, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=testing, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Wifi,testing) source static nWIFI_GATEWAY nWIFI_GATEWAY
Additional Information:
NAT divert to egress interface Wifi
Untranslate 172.20.16.2/80 to 172.20.16.2/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group testing_access_in in interface testing
access-list testing_access_in extended permit ip any object nWIFI_GATEWAY
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4234a410, priority=13, domain=permit, deny=false
hits=558, user_data=0x1dae8780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.20.16.0, mask=255.255.240.0, port=0, dscp=0x0
input_ifc=testing, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x22b9d7c8, priority=7, domain=conn-set, deny=false
hits=869, user_data=0x225f3c38, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=testing, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x43024750, priority=0, domain=inspect-ip-options, deny=true
hits=2214, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=testing, output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2fe6df28, priority=21, domain=lu, deny=true
hits=494, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=testing, output_ifc=any

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (testing,Wifi) source static nTESTING nTESTING
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4234a9c8, priority=6, domain=nat, deny=false
hits=688, user_data=0x2660cd00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.225.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=testing, output_ifc=Wifi

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Wifi,testing) source static nWIFI_GATEWAY nWIFI_GATEWAY
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b45c9d8, priority=6, domain=nat-reverse, deny=false
hits=559, user_data=0x3e9e8ad8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.20.16.0, mask=255.255.240.0, port=0, dscp=0x0
input_ifc=testing, output_ifc=Wifi

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2550f6b8, priority=0, domain=user-statistics, deny=false
hits=220372121, user_data=0x2608f798, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=Wifi

Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x22e143f8, priority=500, domain=permit, deny=true
hits=7969, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.20.16.2, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Wifi, output_ifc=any

Result:
input-interface: testing
input-status: up
input-line-status: up
output-interface: Wifi
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule