07-07-2015 04:57 PM - edited 03-08-2019 12:52 AM
Dear Support,
I have some issues with my VPN site to site. The tunnel is up but no traffic. I receive this error message from the logs:
Please your help is needed. Thank in advance.
4 | Jul 07 2015 | 23:30:23 | 106023 | X.X.X.X | Y.Y.Y.Y | Deny protocol 0 src outside:X.X.X.X dst outside:Y.Y.Y.Y by access-group "outside_acl" [0x0, 0x0] |
07-08-2015 04:48 AM
Dear Support,
I am waiting your feedback.
07-09-2015 12:46 AM
Hi
Do you have NAT in your device? I mean subnet that has to be in VPN can use your internet ?The ip range that goes to VPN tunnel , is this ip range NAT-ted also?
If you can share your configuration it will be helpful for me to understand the issue
07-09-2015 01:38 AM
Hi togrul.azizli,
Thank for your response,
Yes, I have dynamic and static NAT. The IP that goes to VPN tunnel is NAT-ted also.
Below NAT config
asa(config-network-object)# host 192.168.0.100
asa(config-network-object)# nat (inside,outside) static mach_Outside
access-list outside_acl permit ip any host 192.168.0.100
access-group outside_acl in interface outside
VPN config
access-list outside_1_cryptomap extended permit ip object mach_Outside object mach_mach
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *********
crypto ipsec transform-set ASA2transform esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ASA2transform
nat (inside,outside) source static mach_Outside mach_Outside destination static mach_mach mach_mach
07-09-2015 02:33 AM
What is ip range that you want to VPN?
07-09-2015 03:02 AM
Hi togrul.azizli,
It is only one public IP/32, the object network is mach_Outside that is NAT-ted to private IP 192.168.0.100.
07-09-2015 03:36 AM
I mean you want to create site-to-site VPN between two sites , so you have to select a subnet which going to use VPN also in another site also like this . example : 192.168.0.0/24 subnet will use VPN in one site 192.168.1.0/24 on other site . Do you have subnet like this or you use only 192.168.0.100 ip address for L2L VPN?
And can edit
access-list outside_acl permit ip any host 192.168.0.100
to
access-list outside_acl permit ip any any
see what happens and let me know
07-09-2015 04:14 AM
Hi togrul.azizli,
I have replaced the ACL by:
access-list outside_acl permit ip any any
Now, I have no error message from logs.
I have created VPN site to site:
For example : my subnetwork is 192.168.0.0/24 NAT-ted with public IP X.X.X.X to peer side 192.168.1.0/24.
So, it is the public IP X.X.X.X that goes over VPN tunnel.
It is possible to communicate public IP over VPN tunnel from ASA?
07-09-2015 04:53 AM
So how VPN works :
You create VPN tunnel on public addresses (your ASA and remote ASA) and you create access list which determines interesting traffic for VPN ,in other words you determine which traffic will be sent over VPN tunnel. ex : your inside subnet is 192.168.0.0/24 and you want to create VPN tunnel between your inside subnet and inside subnet of remote ASA (192.168.1.0/24) so create access list "permit ip 192.168.0.0 to 192.168.1.0/24"(i didnt write technically right).
Then you wrote dynamic NAT and any packet's source ip going outside is translated via NAT to your public ip but we have to seperate packets for VPN not to NAT-ted , then you write nat exemption "nat (inside,outside) source static mach_Outside mach_Outside destination static mach_mach mach_mach"(from your config), which means if packet's source is ip from 192.168.0.0/24 and destination ip is from 192.168.1.0/24 then do not NAT this packet but NAT other packet going outside.
So , at the end , you use VPN and Internet simultaneously.
In your case you wrote ACL "access-list outside_acl permit ip any host 192.168.0.100" ,
and I think you also have to add your public ip address to that ACL . So thats why when you wrote " permit any any" it worked out .
Finally can you add your public ip to that ACL and let me know what happens .
access-list outside_acl permit ip any host 192.168.0.100
access-list outside_acl permit ip any host "your public ip"
07-09-2015 06:10 AM
Hi togrul.azizli,
I have modified the ACL:
access-list outside_acl permit ip any host 192.168.0.100
access-list outside_acl permit ip any host "your public ip"
but I received many logs llike below:
Deny udp src outside:75.154.164.197/23676 dst inside:192.168.0.134/51406 by access-group "outside_acl" [0x0, 0x0]
Deny tcp src outside:86.220.209.8/53128 dst inside:192.168.0.50/60286 by access-group "outside_acl" [0x0, 0x0]
07-09-2015 06:44 AM
In your inside network , there are different ip addresses in use not only 192.168.0.100 but in access list you permitted only 192.168.0.100 ip address . You can edit it to 192.168.0.100 255.255.255.0 .
Like instead of
access-list outside_acl permit ip any host 192.168.0.100
put
access-list outside_acl permit ip any 192.168.0.0 255.255.255.0
Let me know what happens
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide