In your inside network ,

ramatoulaye.hane1 · ‎07-07-2015

Dear Support,

I have some issues with my VPN site to site. The tunnel is up but no traffic. I receive this error message from the logs:

Please your help is needed. Thank in advance.

4

Jul 07 2015

23:30:23

106023

X.X.X.X

Y.Y.Y.Y

Deny protocol 0 src outside:X.X.X.X dst outside:Y.Y.Y.Y by access-group "outside_acl" [0x0, 0x0]

ramatoulaye.hane1 · ‎07-08-2015

Dear Support,

I am waiting your feedback.

togrul.azizli · ‎07-09-2015

Hi

Do you have NAT in your device? I mean subnet that has to be in VPN can use your internet ?The ip range that goes to VPN tunnel , is this ip range NAT-ted also?

If you can share your configuration it will be helpful for me to understand the issue

ramatoulaye.hane1 · ‎07-09-2015

Hi togrul.azizli,

Thank for your response,

Yes, I have dynamic and static NAT. The IP that goes to VPN tunnel is NAT-ted also.

Below NAT config

asa(config-network-object)# host 192.168.0.100
asa(config-network-object)# nat (inside,outside) static mach_Outside
access-list outside_acl permit ip any host 192.168.0.100
access-group outside_acl in interface outside

VPN config

access-list outside_1_cryptomap extended permit ip object mach_Outside object mach_mach
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *********
crypto ipsec transform-set ASA2transform esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ASA2transform
nat (inside,outside) source static mach_Outside mach_Outside destination static mach_mach mach_mach

togrul.azizli · ‎07-09-2015

What is ip range that you want to VPN?

ramatoulaye.hane1 · ‎07-09-2015

Hi togrul.azizli,

It is only one public IP/32, the object network is mach_Outside that is NAT-ted to private IP 192.168.0.100.

togrul.azizli · ‎07-09-2015

I mean you want to create site-to-site VPN between two sites , so you have to select a subnet which going to use VPN also in another site also like this . example : 192.168.0.0/24 subnet will use VPN in one site 192.168.1.0/24 on other site . Do you have subnet like this or you use only 192.168.0.100 ip address for L2L VPN?

And can edit

access-list outside_acl permit ip any host 192.168.0.100

to

access-list outside_acl permit ip any any

see what happens and let me know

ramatoulaye.hane1 · ‎07-09-2015

Hi togrul.azizli,

I have replaced the ACL by:

access-list outside_acl permit ip any any

Now, I have no error message from logs.

I have created VPN site to site:

For example : my subnetwork is 192.168.0.0/24 NAT-ted with public IP X.X.X.X to peer side 192.168.1.0/24.

So, it is the public IP X.X.X.X that goes over VPN tunnel.

It is possible to communicate public IP over VPN tunnel from ASA?

togrul.azizli · ‎07-09-2015

So how VPN works :

You create VPN tunnel on public addresses (your ASA and remote ASA) and you create access list which determines interesting traffic for VPN ,in other words you determine which traffic will be sent over VPN tunnel. ex : your inside subnet is 192.168.0.0/24 and you want to create VPN tunnel between your inside subnet and inside subnet of remote ASA (192.168.1.0/24) so create access list "permit ip 192.168.0.0 to 192.168.1.0/24"(i didnt write technically right).

Then you wrote dynamic NAT and any packet's source ip going outside is translated via NAT to your public ip but we have to seperate packets for VPN not to NAT-ted , then you write nat exemption "nat (inside,outside) source static mach_Outside mach_Outside destination static mach_mach mach_mach"(from your config), which means if packet's source is ip from 192.168.0.0/24 and destination ip is from 192.168.1.0/24 then do not NAT this packet but NAT other packet going outside.

So , at the end , you use VPN and Internet simultaneously.

In your case you wrote ACL "access-list outside_acl permit ip any host 192.168.0.100" ,

and I think you also have to add your public ip address to that ACL . So thats why when you wrote " permit any any" it worked out .

Finally can you add your public ip to that ACL and let me know what happens .

access-list outside_acl permit ip any host 192.168.0.100

access-list outside_acl permit ip any host "your public ip"

ramatoulaye.hane1 · ‎07-09-2015

Hi togrul.azizli,

I have modified the ACL:

access-list outside_acl permit ip any host 192.168.0.100

access-list outside_acl permit ip any host "your public ip"

but I received many logs llike below:

Deny udp src outside:75.154.164.197/23676 dst inside:192.168.0.134/51406 by access-group "outside_acl" [0x0, 0x0]

Deny tcp src outside:86.220.209.8/53128 dst inside:192.168.0.50/60286 by access-group "outside_acl" [0x0, 0x0]

togrul.azizli · ‎07-09-2015

In your inside network , there are different ip addresses in use not only 192.168.0.100 but in access list you permitted only 192.168.0.100 ip address . You can edit it to 192.168.0.100 255.255.255.0 .

Like instead of

access-list outside_acl permit ip any host 192.168.0.100

put

access-list outside_acl permit ip any 192.168.0.0 255.255.255.0

Let me know what happens

VPN site to site UP but no traffic