cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
233
Views
0
Helpful
1
Replies

ASA failed to pass the local subnet to IPSec Tunnel

Kurt Lei
Level 1
Level 1

Hi All,

 

I found the LAN subnet (10.131.1.0/24) can pass the traffic via IPSec tunnel to 10.130.8.0/24. However, The local Inside subnet (10.131.3.0/24) can't pass the traffic through IPSec tunnel. I really don't have any idea on this issue as only the ASA subnet can't pass through. Hope someone can help me to check. Thanks.

 

LAN subnet   --- Switch --- ASA 8.0 -------- (LAN-to-LAN IPSec) --------Cisco VPN Router ------ 10.130.8.0/24

LAN Subnet: 10.131.1.0/24
ASA Inside Interface: 10.131.3.2/24

 

 

==============================================================================================================

ASA Configuration

 

name 10.131.0.0 Internal

access-list inside_nat0_outbound extended permit ip Internal 255.255.0.0 10.130.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.0.0.0

 

access-list outside_4_cryptomap extended permit ip Internal 255.255.0.0 10.130.0.0 255.255.0.0

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs 

crypto map outside_map 4 set peer xx.xx.xx.xx 

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set reverse-route

 

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 


policy-map inside-policy

 class httptraffic

  inspect http http_inspection_policy 

!

service-policy global_policy global

service-policy inside-policy interface inside

 

==============================================================================================================

VPN router Configuration

 

crypto map outside_map 13118 ipsec-isakmp 
 set peer xx.xx.xx.xx
 set transform-set ESP-3DES-SHA 
 set pfs group2
 match address outside_cryptomap_13118

ip access-list extended outside_cryptomap_13118
 permit ip 10.130.1.0 0.0.0.255 10.131.0.0 0.0.255.255
 permit ip 10.130.9.0 0.0.0.255 10.131.0.0 0.0.255.255
 permit ip 10.130.193.0 0.0.0.255 10.131.0.0 0.0.255.255
 permit ip 172.16.0.0 0.15.255.255 10.131.0.0 0.0.255.255
 permit ip 10.130.8.0 0.0.0.255 10.131.0.0 0.0.255.255

======================================================================================================

Traceroute Output from ASA

ASA# traceroute 10.130.8.248

 

Type escape sequence to abort.

Tracing the route to 10.130.8.248

 

 1  210.172.221.203.static.comindico.com.au (203.221.172.210) 0 msec 10 msec 0 msec

 2  se6-7.wsr03-kent-syd.comindico.com.au (203.194.33.209) 20 msec 0 msec 0 msec

 3  75.112.220.203.unassigned.comindico.com.au (203.220.112.75) 10 msec 0 msec 0 msec

 4  75.112.220.203.unassigned.comindico.com.au (203.220.112.75) 0 msec 0 msec 0 msec

 5  syd-sot-ken-crt1-pos0-2-2-0.tpgi.com.au (202.7.162.245) 10 msec 10 msec 0 msec

 6  syd-pow-cla-crt1-ge-6-0-0.tpgi.com.au (203.29.135.34) !H  *  !H 


ASA# traceroute 10.130.8.248 source 10.131.3.2

 

Type escape sequence to abort.

Tracing the route to 10.130.8.248

 

 1   *  *  * 

 2   *  *  * 

 3   *  *  * 

 4   *  * 

 

=========================================================================================================

Packet Tracer Output

 

 

ASA# packet-tracer input inside  icmp 10.131.3.2 8 0 10.130.8.248

 

Phase: 1

Type: ACCESS-LIST

Subtype: 

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 2

Type: FLOW-LOOKUP

Subtype: 

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

 

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   HKES3-130       255.255.0.0     outside

 

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.131.3.2      255.255.255.255 identity

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

 

ASA# packet-tracer in in udp 10.131.3.2 161 10.130.8.248 161

 

Phase: 1

Type: FLOW-LOOKUP

Subtype: 

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   HKES3-130       255.255.0.0     outside

 

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.131.3.2      255.255.255.255 identity

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

 

ASA1# packet-tracer in in udp 10.131.3.2 162 10.130.8.248 162

 

Phase: 1

Type: FLOW-LOOKUP

Subtype: 

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   HKES3-130       255.255.0.0     outside

 

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.131.3.2      255.255.255.255 identity

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

 

 

1 Reply 1

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Try a Packet trace without using the Interface IP of the ASA device (10.131.3.2).

Thanks and Regards,

Vibhor Amrodia

Review Cisco Networking for a $25 gift card