Here's what I see in my

Adam Hudson · ‎02-01-2016

I have an EZVPN running between two locations, Location A has a 5520 and is the EZVPN server, Location B has a 5506 and is a EZVPN client. Currently I'm trying to set NAT and ACL(s) so that hosts on the Location B inside network can access a few servers in Location A's DMZ. Below are my packet traces from both locations. Attached are sanitized configs from both locations.

LocationA-Firewall# packet-tracer input dmz tcp <DMZ servers IP> 443 <Location B inside ip> 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   <Location B inside ip>        255.255.255.0   outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

==========================================================

LocationB-Firewall# packet-tracer input inside tcp <Location B inside ip> 443 <Location A DMZ server ip> 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <internet next hop> using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location A DMZ server ip>/443 to <Location A DMZ server ip>/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OWL_inside in interface inside
access-list OWL_inside extended permit ip any4 any4
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:
Static translate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: aaa-user
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 568767, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Any help is appreciated.

rvarelac · ‎02-01-2016

Hi Adam,

Is there any ACL applied on the DMZ? You should allow the source and destination traffic on it. Also if the DMZ and Outside interface have the same security level, you should add the command "same-security-traffic permit inter-interface"

An ASP capture might provide more information about this drop as well.

Hope it helps

-Randy-

Adam Hudson · ‎02-02-2016

Randy, there is an ACL applied to that interface "dmz_access_in" and I have the following line inserted at the top:

access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

But this didn't solve the issue or even change the results of my packet trace.

rvarelac · ‎02-02-2016

Hi Adam,

Can you please run a packet-tracer detailed , example:

packet-tracer input dmz tcp <DMZ servers IP> 443 <Location B inside ip> 443 detailed

Also can you please attach sanitized configuration with the ACLs configs.

Cheers,

-Randy-

Adam Hudson · ‎02-02-2016

Here's the packet-tracer results:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   <Location B inside ip> 255.255.255.0   outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73cb5f60, priority=11, domain=permit, deny=true
   hits=343658, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Cisco ASA 5520 NAT ACL issues across a EZVPN