06-10-2015 09:07 PM - edited 03-11-2019 11:05 PM
Hi All,
I found the LAN subnet (10.131.1.0/24) can pass the traffic via IPSec tunnel to 10.130.8.0/24. However, The local Inside subnet (10.131.3.0/24) can't pass the traffic through IPSec tunnel. I really don't have any idea on this issue as only the ASA subnet can't pass through. Hope someone can help me to check. Thanks.
LAN subnet --- Switch --- ASA 8.0 -------- (LAN-to-LAN IPSec) --------Cisco VPN Router ------ 10.130.8.0/24
LAN Subnet: 10.131.1.0/24
ASA Inside Interface: 10.131.3.2/24
==============================================================================================================
ASA Configuration
name 10.131.0.0 Internal
access-list inside_nat0_outbound extended permit ip Internal 255.255.0.0 10.130.0.0 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.0.0.0
access-list outside_4_cryptomap extended permit ip Internal 255.255.0.0 10.130.0.0 255.255.0.0
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer xx.xx.xx.xx
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set reverse-route
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
==============================================================================================================
VPN router Configuration
crypto map outside_map 13118 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA
set pfs group2
match address outside_cryptomap_13118
ip access-list extended outside_cryptomap_13118
permit ip 10.130.1.0 0.0.0.255 10.131.0.0 0.0.255.255
permit ip 10.130.9.0 0.0.0.255 10.131.0.0 0.0.255.255
permit ip 10.130.193.0 0.0.0.255 10.131.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 10.131.0.0 0.0.255.255
permit ip 10.130.8.0 0.0.0.255 10.131.0.0 0.0.255.255
======================================================================================================
Traceroute Output from ASA
ASA# traceroute 10.130.8.248
Type escape sequence to abort.
Tracing the route to 10.130.8.248
1 210.172.221.203.static.comindico.com.au (203.221.172.210) 0 msec 10 msec 0 msec
2 se6-7.wsr03-kent-syd.comindico.com.au (203.194.33.209) 20 msec 0 msec 0 msec
3 75.112.220.203.unassigned.comindico.com.au (203.220.112.75) 10 msec 0 msec 0 msec
4 75.112.220.203.unassigned.comindico.com.au (203.220.112.75) 0 msec 0 msec 0 msec
5 syd-sot-ken-crt1-pos0-2-2-0.tpgi.com.au (202.7.162.245) 10 msec 10 msec 0 msec
6 syd-pow-cla-crt1-ge-6-0-0.tpgi.com.au (203.29.135.34) !H * !H
ASA# traceroute 10.130.8.248 source 10.131.3.2
Type escape sequence to abort.
Tracing the route to 10.130.8.248
1 * * *
2 * * *
3 * * *
4 * *
=========================================================================================================
Packet Tracer Output
ASA# packet-tracer input inside icmp 10.131.3.2 8 0 10.130.8.248
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in HKES3-130 255.255.0.0 outside
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.131.3.2 255.255.255.255 identity
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
ASA# packet-tracer in in udp 10.131.3.2 161 10.130.8.248 161
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in HKES3-130 255.255.0.0 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.131.3.2 255.255.255.255 identity
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
ASA1# packet-tracer in in udp 10.131.3.2 162 10.130.8.248 162
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in HKES3-130 255.255.0.0 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.131.3.2 255.255.255.255 identity
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
06-11-2015 09:50 AM
Hi,
Try a Packet trace without using the Interface IP of the ASA device (10.131.3.2).
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide