05-14-2019 07:16 AM
Good day;
Need help seeing what I am not seeing at the moment. I have built a l2l to the AWS cloud I run a packet trace outbound and that passes but when I run packet tracer outbound in I keep getting denied by Implicit rule. I have gone over my configs and I don't see what is deny perhaps a fresh pair of eyes will see what I am not seeing.
Here is my config
object network dw01
host 10.20.10.103
object network dw01-NATLDN
host 10.180.0.103
object-group network Amazon.LocalLDN
network-object 10.180.0.0 255.255.255.0
object-group network Amazon-RemoteLDN
network-object 10.30.0.0 255.255.0.0
access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN
access-list amznLDN-filter extended permit ip host 52.56.71.96 host 208.126.125.10
access-list amznLDN-filter extended permit ip 10.30.0.0 255.255.0.0 10.180.0.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static dw01 dw01-NATLDN destination static Amazon-RemoteLDN Amazon-RemoteLDN
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto map OUTSIDE_map 15 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map 15 set pfs group2
crypto map OUTSIDE_map 15 set peer 52.56.71.96
crypto map OUTSIDE_map 15 set ikev1 transform-set transform-amzn
crypto map OUTSIDE_map 15 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 15 set nat-t-disable
tunnel-group 52.56.71.96 type ipsec-l2l
tunnel-group 52.56.71.96 general-attributes
default-group-policy Amazon-LDN
tunnel-group 52.56.71.96 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
group-policy Amazon-LDN internal
group-policy Amazon-LDN attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value amznLDN-filter
vpn-tunnel-protocol ikev1
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x738e6b38, priority=13, domain=capture, deny=false
hits=2884362251, user_data=0x73831aa0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=OUTSIDE, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x72f221c0, priority=1, domain=permit, deny=false
hits=31054542779, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 INSIDE
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73cd1e50, priority=11, domain=permit, deny=true
hits=28748828, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Thank you in advance for your help!!
Solved! Go to Solution.
05-14-2019 09:00 AM
Apologies I should of tested this before posting but I took and existing connection into AWS that is working and did the same packet tracer and it failed. So I went back and checked the new tunnel and I can see phase 1 and 2 complete. I can see encaps but no decaps. I can also see that the tunnel has established so the issue isn't with the tunnel it is the routing back from AWS. Apologies for the headaches but appreciate all who looked
05-14-2019 09:00 AM
Apologies I should of tested this before posting but I took and existing connection into AWS that is working and did the same packet tracer and it failed. So I went back and checked the new tunnel and I can see phase 1 and 2 complete. I can see encaps but no decaps. I can also see that the tunnel has established so the issue isn't with the tunnel it is the routing back from AWS. Apologies for the headaches but appreciate all who looked
05-14-2019 09:38 AM
on more things I this I made a few updates I changed
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon.LocalLDN object-group Amazon-RemoteLDN
no access-list OUTSIDE_cryptomap_10 extended permit ip object-group Amazon-RemoteLDN object-group Amazon.LocalLDN
to
access-list OUTSIDE_cryptomap_10 extended permit ip any object-group Amazon-RemoteLDN
as I found out AWS tunnels are route-based and they require that "any" be used in the cryptomap match ACL, and that all restrictions be done via VPN-Filter or routing
also removed
no access-list amznLDN-filter extended permit ip host 52.56.71.96 host 207.126.125.10
filter traffic comes in from the remote end, and are applied after the tunnel is formed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide