07-06-2018 12:43 PM - edited 02-21-2020 07:57 AM
Hi Everyone,
I am having trouble getting my Site 2 Site VPN working. It shows the tunnel is initiated on both sides, but I cannot ping across to any of the subnets.
One is an ASA5510 (8.2) the other is an ASA5505 (8.2)
I am sure I'm missing something simple, but I just can't seem to figure it out.
Here is my code:
ASA5505 (OFFICE)
ASA5505# show crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 50.0.0.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 28800 Lifetime Remaining: 28750 ASA5505# show run : Saved : ASA Version 8.2(5) ! hostname ASA5505 domain-name .LOCAL enable password l6TfH6cW.FyTs0Rc encrypted passwd zsGJHLUedCLLSkmz encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 description Connection to Switch ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 description Untangle Link shutdown ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 104.0.0.1 255.255.255.248 ! ftp mode passive dns server-group DefaultDNS domain-name .LOCAL object-group network -IP network-object host 64.40.115.156 network-object host 64.40.115.157 network-object host 64.40.115.158 network-object host 64.40.115.155 object-group network VPN-INSIDE-IP network-object host 192.168.10.4 object-group network SOUTH-NETWORK network-object 192.168.11.0 255.255.255.0 network-object 192.168.96.0 255.255.255.0 network-object 192.168.97.0 255.255.255.0 network-object 192.168.98.0 255.255.255.0 object-group network OFFICE-NETWORK network-object 192.168.99.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 access-list inbound extended permit icmp any any access-list inbound extended permit tcp any host 104.0.0.1 eq 81 access-list inbound extended permit tcp any host 104.0.0.1 eq 5000 access-list inbound extended permit tcp any host 104.0.0.1 eq 85 access-list inbound extended permit tcp any host 104.0.0.1 eq 6690 access-list inbound extended permit tcp any host 104.0.0.1 eq 5222 access-list inbound extended permit tcp object-group IP host 104.0.0.1 eq 8351 access-list inbound extended permit tcp host 209.0.0.1 host 104.0.0.1 eq 3389 access-list inbound extended permit udp any host 104.0.0.2 eq 1194 access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK access-list splittunnel standard permit 192.168.99.0 255.255.255.0 access-list splittunnel standard permit 192.168.20.0 255.255.255.0 access-list splittunnel standard permit 192.168.10.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip object-group OFFICE-NETWORK object-group SOUTH-NETWORK pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpnclientpool 192.168.5.1-192.168.5.254 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 2 104.0.0.2 netmask 255.255.255.248 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 81 192.168.99.253 81 netmask 255.255.255.255 static (inside,outside) tcp interface 5000 192.168.99.253 5000 netmask 255.255.255.255 static (inside,outside) tcp interface 85 192.168.99.252 85 netmask 255.255.255.255 static (inside,outside) tcp interface 6690 192.168.99.12 6690 netmask 255.255.255.255 static (inside,outside) tcp interface 8500 192.168.10.5 8500 netmask 255.255.255.255 static (inside,outside) tcp interface 8351 192.168.20.7 8351 netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.20.7 3389 netmask 255.255.255.255 static (inside,outside) tcp interface 5222 192.168.20.19 5222 netmask 255.255.255.255 static (inside,outside) udp 104.11.119.180 1194 192.168.10.5 1194 netmask 255.255.255.255 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 104.0.0.10 1 route inside 192.168.20.0 255.255.255.0 192.168.10.2 1 route inside 192.168.99.0 255.255.255.0 192.168.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server vpn protocol radius aaa-server vpn (inside) host 192.168.20.16 key ***** aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.99.0 255.255.255.0 inside http 192.168.20.0 255.255.255.0 inside http 192.168.10.0 255.255.255.0 inside snmp-server group v3group v3 auth snmp-server user v3user v3group v3 encrypted auth md5 8f:e2:21:74:8e:e0:e0:bf:e6:47:68:71:1e:3e:ed:d7 snmp-server host inside 192.168.20.10 community ***** version 2c snmp-server host inside 192.168.99.2 community ***** version 2c snmp-server location office snmp-server contact snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto ipsec transform-set des-sha esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map clienttunnel 10 set transform-set 3des-md5 3des-sha crypto map vpntunnel 30 match address outside_1_cryptomap crypto map vpntunnel 30 set pfs group1 crypto map vpntunnel 30 set peer 50.0.0.1 crypto map vpntunnel 30 set transform-set ESP-3DES-SHA crypto map vpntunnel 65000 ipsec-isakmp dynamic clienttunnel crypto map vpntunnel interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 28800 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp policy 40 authentication pre-share encryption des hash sha group 2 lifetime 28800 telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.99.0 255.255.255.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 30 ssh version 2 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy vpnclient internal group-policy vpnclient attributes dns-server value 192.168.20.16 split-tunnel-policy tunnelspecified split-tunnel-network-list value splittunnel default-domain value airinnovationsllc.local username admin password gKsOtAE6fzcD/7Hh encrypted privilege 15 username adminasa password APBxx13XKOB9uRKd encrypted tunnel-group vpnclient type remote-access tunnel-group vpnclient general-attributes address-pool vpnclientpool authentication-server-group vpn default-group-policy vpnclient tunnel-group vpnclient ipsec-attributes pre-shared-key ***** tunnel-group 50.0.0.1 type ipsec-l2l tunnel-group 50.0.0.1 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect http inspect snmp inspect pptp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:8b826892f526483687b2934e4cbab68c : end
ASA5510 (SOUTH)
SOUTH-WAREHOUSE-ASA5510# show crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 104.0.0.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 28800 Lifetime Remaining: 28666 SOUTH-WAREHOUSE-ASA5510# show run : Saved : ASA Version 8.2(5) ! hostname SOUTH-WAREHOUSE-ASA5510 domain-name .local enable password l6TfH6cW.FyTs0Rc encrypted passwd l6TfH6cW.FyTs0Rc encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 50.0.0.1 255.255.255.252 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.11.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name .local object-group network OFFICE-NETWORK network-object 192.168.99.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 object-group network SOUTH-NETWORK network-object 192.168.11.0 255.255.255.0 network-object 192.168.96.0 255.255.255.0 network-object 192.168.97.0 255.255.255.0 network-object 192.168.98.0 255.255.255.0 access-list inbound extended permit icmp any any access-list inbound extended permit tcp any host 50.0.0.1 eq 81 access-list OUTSIDE_1_CRYPTOMAP extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK access-list NONAT extended permit ip object-group SOUTH-NETWORK object-group OFFICE-NETWORK pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 50.0.0.10 1 route inside 192.168.96.0 255.255.255.0 192.168.11.2 1 route inside 192.168.97.0 255.255.255.0 192.168.11.2 1 route inside 192.168.98.0 255.255.255.0 192.168.11.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication serial console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.97.0 255.255.255.0 inside http 192.168.98.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto ipsec transform-set des-sha esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map vpntunnel 30 match address OUTSIDE_1_CRYPTOMAP crypto map vpntunnel 30 set pfs group1 crypto map vpntunnel 30 set peer 104.0.0.1 crypto map vpntunnel 30 set transform-set ESP-3DES-SHA crypto map vpntunnel interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 28800 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp policy 40 authentication pre-share encryption des hash sha group 2 lifetime 28800 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username adminasa password APBxx13XKOB9uRKd encrypted tunnel-group 104.0.0.1 type ipsec-l2l tunnel-group 104.0.0.1 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:2799251874696d5e2bb2bf6c17f6699c : end
Solved! Go to Solution.
07-09-2018 05:41 PM
Hello,
From ASA5505 - you notice drop in Phase 10. Also in Phase:9 - host-limits. What is license on the ASA.
You can find from 'show ver' and 'show local-host'. Try reboot the unit and also update the code.
Thx
MS
07-10-2018 06:07 AM
I don't see the drop in Phase 10 or the other thing you are talking about in Phase 9. Not sure if you got mixed up or I am blind. I feel like updating the code might be the only solution at this point.
The ASA 5505 is on Base License
The ASA 5510 is on Security Plus
Here are the show vers for both.
ASA5510
AIR-ASA5505# show ver Cisco Adaptive Security Appliance Software Version 8.2(5) Device Manager Version 6.4(5) Compiled on Fri 20-May-11 16:00 by builders System image file is "disk0:/asa825-k8.bin" Config file at boot was "startup-config" AIR-ASA5505 up 3 days 15 hours Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash Firmware Hub @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Int: Internal-Data0/0 : address is f40f.1b21.b48a, irq 11 1: Ext: Ethernet0/0 : address is f40f.1b21.b482, irq 255 2: Ext: Ethernet0/1 : address is f40f.1b21.b483, irq 255 3: Ext: Ethernet0/2 : address is f40f.1b21.b484, irq 255 4: Ext: Ethernet0/3 : address is f40f.1b21.b485, irq 255 5: Ext: Ethernet0/4 : address is f40f.1b21.b486, irq 255 6: Ext: Ethernet0/5 : address is f40f.1b21.b487, irq 255 7: Ext: Ethernet0/6 : address is f40f.1b21.b488, irq 255 8: Ext: Ethernet0/7 : address is f40f.1b21.b489, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 10: Int: Not used : irq 255 11: Int: Not used : irq 255 Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled SSL VPN Peers : 2 Total VPN Peers : 10 Dual ISPs : Disabled VLAN Trunk Ports : 0 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has a Base license.
ASA5510
OUTH-WAREHOUSE-ASA5510# show ver Cisco Adaptive Security Appliance Software Version 8.2(5) Device Manager Version 6.4(5) Compiled on Fri 20-May-11 16:00 by builders System image file is "disk0:/asa825-k8.bin" Config file at boot was "startup-config" SOUTH-WAREHOUSE-ASA5510 up 16 hours 59 mins Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Ext: Ethernet0/0 : address is 0023.5e15.f86a, irq 9 1: Ext: Ethernet0/1 : address is 0023.5e15.f86b, irq 9 2: Ext: Ethernet0/2 : address is 0023.5e15.f86c, irq 9 3: Ext: Ethernet0/3 : address is 0023.5e15.f86d, irq 9 4: Ext: Management0/0 : address is 0023.5e15.f869, irq 11 5: Int: Not used : irq 11 6: Int: Not used : irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 100 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 250 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has an ASA 5510 Security Plus license.
07-10-2018 06:41 PM
Hi,
One of the email I received (when you post an update) is as below..
_________________________________________
Sys OPT did not work. Added it to both.
Here is the packet tracer results. Says "ACTION: DROP" because of an ACL, but the ACLs are correct...
AIR-ASA5505# packet-tracer input inside icmp 192.168.99.16 0 0 192.168.97.1 de$ Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xc959bae8, priority=1, domain=permit, deny=false hits=4673798, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc959e220, priority=0, domain=inspect-ip-options, deny=true hits=134502, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xc9f90178, priority=70, domain=inspect-icmp, deny=false hits=7549, user_data=0xc9f8ff78, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc959de98, priority=66, domain=inspect-icmp-error, deny=false hits=7549, user_data=0xc959dd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: DEBUG-ICMP Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xca179f80, priority=12, domain=debug-icmp-trace, deny=false hits=6904, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside 192.168.99.0 255.255.255.0 outside 192.168.97.0 255.255.255.0 NAT exempt translate_hits = 5, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xca276cd0, priority=6, domain=nat-exempt, deny=false hits=1, user_data=0xca276c10, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.99.0, mask=255.255.255.0, port=0 dst ip=192.168.97.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any outside any dynamic translation to pool 1 (104.0.0.1 [Interface PAT]) translate_hits = 130712, untranslate_hits = 17676 Additional Information: Forward Flow based lookup yields rule: in id=0xc962c538, priority=1, domain=nat, deny=false hits=132140, user_data=0xc962c478, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xc962c088, priority=1, domain=host, deny=false hits=135185, user_data=0xc962bc70, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0xca23d8f8, priority=70, domain=encrypt, deny=false hits=1, user_data=0x0, cs_id=0xc9f14b48, reverse, flags=0x0, protocol=0 src ip=192.168.99.0, mask=255.255.255.0, port=0 dst ip=192.168.97.0, mask=255.255.255.0, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
______________________________________________
You can try by reboot and /or by upgrading the code.
Thx
MS
07-31-2018 12:34 PM
I've upgraded the code to 8.4(5). Took me a little while because I had to drive to the other location to add some memory to the ASA5510.
Both are still not working. Same stuff going on. Debug shows its getting across.
Here is the new packet tracer
AIR-ASA5505# packet-tracer input inside icmp 192.168.99.1 0 0 192.168.98.1 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static OFFICE-NETWORK OFFICE-NETWORK destination static SOUTH-NETWORK SOUTH-NETWORK Additional Information: NAT divert to egress interface outside Untranslate 192.168.98.1/0 to 192.168.98.1/0 Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static OFFICE-NETWORK OFFICE-NETWORK destination static SOUTH-NETWORK SOUTH-NETWORK Additional Information: Static translate 192.168.99.1/0 to 192.168.99.1/0 Phase: 7 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static OFFICE-NETWORK OFFICE-NETWORK destination static SOUTH-NETWORK SOUTH-NETWORK Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 480877, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
08-01-2018 10:50 AM
I figured out the issue. It was a few things:
1. Code error with the crypto and nat translation on 8.2(5). I had a crypto_archive and I had to delete it per cisco's repair and reboot the asa.
2. AT&T had a sneaky option set hidden away in their modem that NAT'ed all traffic. I had to disable NAT on the AT&T modem.
3. Upgrade code to 8.4(5)
Thank you for all the help. I learned a lot through all this information.
08-02-2018 07:35 PM
Glad to hear that issue has been resolved. Good finding. Thanks for the rating.
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide