I am not so familliar with 8.6 code and I am trying to give an outside host access to another host in the DMZ. I have have a NAT set for the host in the DMZ and in the ACL on the outside interface, i have used the local IP(192.168.x.x) in the ACL. I have defied my services(isakmp,esp,gre,ipsec).
When i do a show local host 192.168.x.x, i can see that there is an isakmp connection established
local host: <192.16x.2x.22>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 2/unlimited
UDP outside 2x.2xx.x24.19x:500 dmz 192.16x.2x.22:500, idle 0:00:01, bytes 488, flags -
UDP outside 20x.9x.2xx.132:500 dmz 192.16X.2X.22:500, idle 0:00:00, bytes 1152, flags -
But adminstrator in the other end, keeps telling the tunnel is up! Packet-tracer also shows the packet drop after passing the NAT. But the output above shows isakmp connection in port 500. I also tried to test the port by telnet to the IP follow by the port number(192.16x.2x.22 500) with no luck.
There packet-tracer information as well...
in 220.127.116.11 255.255.255.0 dmz
access-group from_outside in interface outside
access-list from_outside extended permit object-group Long_vpn_ser object-group DM_INLINE_NETWORK_4 object Long_vpn
object-group service Longview_vpn_ser
description: Services for Long VPN access
service-object udp destination eq isakmp
service-object tcp destination eq ssh
service-object object IPSEC
object-group network DM_INLINE_NETWORK_4
network-object host 2x.9x.2xx.13x
network-object host 21x.2xx.2x4.19x
nat (dmz,outside) source static Long_vpn Long_pub
Drop-reason: (acl-drop) Flow is denied by configured rule
Any help will be greatly appreciate,
You are probably using the real IP address as the destination IP address of the "packet-tracer" command and that is why the ASA tells you that the simulated connection would fail the RPF check. Since on the way it doesnt hit any NAT rule but on the back out it hits a NAT rule.
Try the "packet-tracer" output with the public IP address if you want to accurately simulate the incoming packet.
I did figured this part out, but i still don't understans why the other end of the tunnel is up when in my ASA it shows up! Also as i mentioned above, i cannot test port 500 via telnet.Obivious something is wrong but the configuration so simple!
What is strange about the tunnel being up if everything is allowed and the reason the "packet-tracer" was failing was because the wrong IP address was used?
You cant test ISAKMP / UDP500 with Telnet as telnet is TCP and not UDP.
You are still using the local IP address the destination.
The "packet-tracer" is meant to simulate the actual packet entering the ASA interface.
When you are testing traffic from the Internet then you will have to use the public NAT IP address as the destination naturally.
On the ACLs ofcourse the destination IP address is the local IP address because of the NAT and ACL format changes in the new software.
Hopefully this clears things up
Please do remember to mark a reply as the correct answer if it answered your question
Ask more if needed naturally