Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
1
Replies

ASA VPN Issue

disastra
Level 1
Level 1

‎11-13-2019 05:46 AM

Hi all,

First post here :) Looking for some help with a site-to-site VPN issue on a Cisco ASA 5510.

I have two subnets, 'internal' and 'VOIP', both of which need to route traffic over the VPN to the remote site.

Traffic from the internal subnet routes fine, but not from the VOIP subnet.

Both subnets have been added to access lists and have NAT exemptions both on the local and the remote ASA.

Relevant config is below...

Local ASA

Interfaces

interface Redundant2.1
 vlan 1
 nameif internal
 security-level 100
 ip address 192.168.66.1 255.255.255.0 
!
interface Redundant2.10
 vlan 10
 nameif voip
 security-level 100
 ip address 172.34.10.1 255.255.255.0 
!

Object Group

object-group network DM_INLINE_NETWORK_1
 network-object 172.34.10.0 255.255.255.0
 network-object 192.168.66.0 255.255.255.0

Access Lists

access-list internal_nat0_outbound_1 extended permit ip 192.168.66.0 255.255.255.0 remote-inside-network 255.255.0.0 
access-list voip_nat0_outbound extended permit ip 172.34.10.0 255.255.255.0 remote-inside-network 255.255.0.0
access-list infinity_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 remote-inside-network 255.255.0.0

NAT

nat (internal) 0 access-list internal_nat0_outbound_1
nat (voip) 0 access-list voip_nat0_outbound

VPN

crypto map infinity_map1 2 match address infinity_cryptomap_1
crypto map infinity_map1 2 set pfs group5
crypto map infinity_map1 2 set peer remote-network 
crypto map infinity_map1 2 set transform-set ESP-AES-256-SHA
crypto map infinity_map1 interface outside

Remote ASA

Interface

interface Port-channel1.1
 vlan 1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.0.0 standby 10.10.1.2 
!

Object Group

object-group network gx-networks
 network-object object gx-inside-network
 network-object object gx-voip-network

Access Lists

access-list outside_cryptomap_6 extended permit ip object inside-network object-group gx-networks

NAT

nat (inside,outside) source static inside-network inside-network destination static gx-voip-network gx-voip-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static gx-inside-network gx-inside-network no-proxy-arp route-lookup

VPN

crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs group5
crypto map outside_map 7 set peer remote-network
crypto map outside_map 7 set ikev1 transform-set ESP-AES-256-SHA

I'm stumped and would gratefully appreciate any advice!

Labels:
0 Helpful
1 Reply 1

disastra
Level 1
Level 1

‎11-13-2019 05:51 AM

Running a packet trace shows that the packet is dropped, however I cannot see any reason why this would be the case..

packet-tracer input voip tcp 172.34.10.20 80 10.10.10.10 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.00.0.0.0infinity

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group voip_access_in in interface voip
access-list voip_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6

Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip voip 172.34.10.0 255.255.255.0 infinity mk-inside-network 255.255.0.0
NAT exempt
translate_hits = 2113, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (voip) 1 172.34.10.0 255.255.255.0
match ip voip 172.34.10.0 255.255.255.0 infinity any
dynamic translation to pool 1 (192.168.0.27 [Interface PAT])
translate_hits = 325, untranslate_hits = 9
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (voip) 1 172.34.10.0 255.255.255.0
match ip voip 172.34.10.0 255.255.255.0 management any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:

Result:
input-interface: voip
input-status: up
input-line-status: up
output-interface: infinity
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card