10-28-2017 11:43 AM - edited 02-21-2020 06:35 AM
Hi,
I've two sites (A and B) connected through IPSec tunnel. I'm not be able to access Remote Desktop connection from Site A to Site B, below is packet-tracer and config.
packet-tracer input inside tcp 172.16.10.2 3389 192.168.10.2 3$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae180d48, priority=1, domain=permit, deny=false
hits=10119301, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.2/3389 to 192.168.10.2/3389
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae079688, priority=7, domain=conn-set, deny=false
hits=150156, user_data=0xae0772c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.10.2/3389 to 172.16.10.2/3389
Forward Flow based lookup yields rule:
in id=0xaee39cf8, priority=6, domain=nat, deny=false
hits=9522, user_data=0xad8f2b50, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa9677e78, priority=1, domain=nat-per-session, deny=true
hits=110170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae186b50, priority=0, domain=inspect-ip-options, deny=true
hits=150202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae95a080, priority=70, domain=encrypt, deny=false
hits=11153, user_data=0x0, cs_id=0xae95c780, reverse, flags=0x0, protocol=0
src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Please advise!
Solved! Go to Solution.
10-28-2017 03:49 PM
Back to your previously logs from packet tracer, the problem is ACL. However, looks ok. At least, the ACL is applied.
I'm looking at it using smartphone which make it harder. Double check please if the ACL is correctly applied in terms of interface and direction.
If possible, permit everything then restrict after.
-If I helped you somehow, please, rate it as useful.-
10-28-2017 12:22 PM
Hi mate,
"Drop-reason: (acl-drop) Flow is denied by configured rule"
Are you allowing this flow on the VPN ?
Can you share show running-config?
-If I helped you somehow, please, rate it as useful.-
10-28-2017 12:37 PM - edited 10-28-2017 12:40 PM
Please find below my running-config
show running-config
hostname FW-COLUMBUS-01
enable password 0gp.3MCN16asScVr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 0gp.3MCN16asScVr encrypted
names
ip local pool ANYCONNECT-POOL 10.10.10.1-10.10.10.30 mask 255.255.255.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/2
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
object network ANYONNECT-LAN
object network OBJ-FACEBOOK.COM
fqdn fb.com
object service rdp
service tcp destination eq 3389
object-group network internet
network-object 172.16.10.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
object-group network ANYCONNECT-LOCAL
network-object 172.16.10.0 255.255.255.0
object-group network ANYCONNECT-REMOTE
network-object 10.10.10.0 255.255.255.0
object-group network IPSEC-L2L-LAN
network-object 172.16.0.0 255.255.0.0
object-group network IPSEC-L2L-REMOTE
network-object 192.168.0.0 255.255.0.0
access-list icmp extended permit icmp any any
access-list ANYCONNECT-ACL standard permit 172.16.10.0 255.255.255.0
access-list IPSEC-ACL extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list IPSEC-ACL extended permit tcp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list IPSEC-ACL extended permit icmp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list VPN extended permit tcp any any eq 3389
pager lines 24
logging enable
logging monitor emergencies
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-112.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup
nat (inside,outside) source static ANYCONNECT-LOCAL ANYCONNECT-LOCAL destination static ANYCONNECT-REMOTE ANYCONNECT-REMOTE no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
access-group VPN in interface outside
access-group VPN out interface inside
route inside 172.16.2.0 255.255.255.0 172.16.2.254 1
route inside 172.16.6.0 255.255.255.0 172.16.1.250 1
route inside 172.16.10.0 255.255.255.0 172.16.1.250 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map IPSEC_VPN_MAP 1 match address IPSEC-ACL
crypto map IPSEC_VPN_MAP 1 set pfs
crypto map IPSEC_VPN_MAP 1 set peer XX.XXX.XXX.XX
crypto map IPSEC_VPN_MAP 1 set ikev1 transform-set ESP-AES-SHA
crypto map IPSEC_VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 846000
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 172.16.10.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
dhcpd option 3 ip 172.16.1.254
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy SITE_TO_SITE internal
group-policy SITE_TO_SITE attributes
vpn-idle-timeout none
group-policy ANYCONNECT-GP internal
group-policy ANYCONNECT-GP attributes
banner value *******************************
banner value AUTHORIZED ACCESS ONLY
banner value *****************************
dns-server value 4.2.2.2
vpn-tunnel-protocol ssl-client
password-storage enable
re-xauth enable
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ANYCONNECT-ACL
user-authentication-idle-timeout 60
username admin password dpiWlbmgsMY7TNa0 encrypted privilege 15
username sherry password ZQTXqHQSsqPf/6iy encrypted privilege 0
username sherry attributes
group-lock value ANYCONNECT-TG
service-type remote-access
tunnel-group ANYCONNECT-TG type remote-access
tunnel-group ANYCONNECT-TG general-attributes
address-pool ANYCONNECT-POOL
default-group-policy ANYCONNECT-GP
tunnel-group ANYCONNECT-TG webvpn-attributes
group-alias "HOME USERS" enable
tunnel-group XX.XXX.XXX.XX type ipsec-l2l
tunnel-group XX.XXX.XXX.XX general-attributes
default-group-policy SITE_TO_SITE
tunnel-group XX.XXX.XXX.XX ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
10-28-2017 01:13 PM
Correct me if I'm wrong. I'm trying to see this using smartphone.
You are try to access a server on 192. Something right?
Does route has route to it?
10-28-2017 01:22 PM
10-28-2017 01:41 PM
This can not work. You are trying to access an IP address 192.x through the internet? Not possible.
You need to have a NAT on your side and in remote side. 192.x is not routed through the internet.
It could works if 192.x were directed connected to the firewall.
-If I helped you somehow, please, rate it as useful.-
10-28-2017 01:44 PM - edited 10-28-2017 01:45 PM
I have IPSec tunnel between both sites in that case too it's not gonna work?
Internet -->> ASA -->> SWITCH -->> USERS SITE-B
IPSec site-to-site
Internet -->> ASA --> SWITCH -->> USERS SITE-A
10-28-2017 01:42 PM
10-28-2017 01:48 PM - edited 10-28-2017 01:55 PM
Alright, then is possible.Sorry.
Verify is RDP is enabled on the remote server and also if the server has route the reply correctly.
-If I helped you somehow, please, rate it as useful.-
10-28-2017 02:52 PM
10-28-2017 03:23 PM
The packet tracer shows that the VPN tunnel is not even established. The drop is at Phase 8:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae95a080, priority=70, domain=encrypt, deny=false
hits=11153, user_data=0x0, cs_id=0xae95c780, reverse, flags=0x0, protocol=0
src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
When user_data=0x0, that means that there is no tunnel established yet, its just the crypto acl entry. When this value is non-zero, that means that the interesting traffic matches an existing established tunnel. You might want to run the following debugs and then run the packet-tracer to see what happens during tunnel establishment:
debug crypto isakmp 127
debug crypto ipsec 127
10-28-2017 03:37 PM - edited 10-28-2017 03:40 PM
Oct 28 21:14:47 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, IKE Initiator: New Phase 2, Intf outside, IKE Peer 82.92.112.25 local Proxy Address 172.16.0.0, remote Proxy Address 192.168.0.0, Crypto map (IPSEC_VPN_MAP)
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, Oakley begin quick mode
Oct 28 21:14:47 [IKEv1 DECODE]Group = 82.92.112.25, IP = 82.92.112.25, IKE Initiator starting QM: msg id = 59fb68d6
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, IKE got SPI from key engine: SPI = 0x306fc706
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, oakley constucting quick mode
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing blank hash payload
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing IPSec SA payload
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing IPSec nonce payload
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing pfs ke payload
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing proxy ID
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, Transmitting Proxy Id:
Local subnet: 172.16.0.0 mask 255.255.0.0 Protocol 0 Port 0
Remote subnet: 192.168.0.0 Mask 255.255.0.0 Protocol 0 Port 0
Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing qm hash payload
Oct 28 21:14:47 [IKEv1 DECODE]Group = 82.92.112.25, IP = 82.92.112.25, IKE Initiator sending 1st QM pkt: msg id = 59fb68d6
Oct 28 21:14:47 [IKEv1]IP = 82.92.112.25, IKE_DECODE SENDING Message (msgid=59fb68d6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 308
Oct 28 21:14:48 [IKEv1]IP = 82.92.112.25, IKE_DECODE RECEIVED Message (msgid=bdbfb2a1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356
Oct 28 21:14:48 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing hash payload
Oct 28 21:14:48 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing notify payload
Oct 28 21:14:48 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, Received non-routine Notify message: Invalid ID info (18)
Oct 28 21:14:56 [IKEv1]IP = 82.92.112.25, IKE_DECODE RECEIVED Message (msgid=8fa5212a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356
Oct 28 21:14:56 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing hash payload
Oct 28 21:14:56 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing notify payload
Oct 28 21:14:56 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, Received non-routine Notify message: Invalid ID info (18)
Oct 28 21:15:04 [IKEv1]IP = 82.92.112.25, IKE_DECODE RECEIVED Message (msgid=8237301a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356
Oct 28 21:15:04 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing hash payload
Oct 28 21:15:04 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing notify payload
Oct 28 21:15:04 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, Received non-routine Notify message: Invalid ID info (18)
O
10-28-2017 03:41 PM
10-28-2017 03:49 PM
Back to your previously logs from packet tracer, the problem is ACL. However, looks ok. At least, the ACL is applied.
I'm looking at it using smartphone which make it harder. Double check please if the ACL is correctly applied in terms of interface and direction.
If possible, permit everything then restrict after.
-If I helped you somehow, please, rate it as useful.-
10-28-2017 04:04 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide