Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1847
Views
0
Helpful
6
Replies

Allow VPN traffic through firewall ASA 5505

Lebon Mudumba
Level 1
Level 1

‎08-31-2019 08:34 AM

Hello community.

I am new using Cisco ASA, I am managing a platform that established traffic with 2 different mobile operators, All was working well, them after several power-cup, the VPN can't be initiated, however, I am able to ping the Mobile operators routes but not the end device which host the services that we are using.

I please ask for help.

Stay blessed

 

Lebon

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎08-31-2019 08:43 AM - edited ‎08-31-2019 09:01 AM

You've already asked this in your other post...

 

https://community.cisco.com/t5/vpn-and-anyconnect/asa-5505-vpn-led-off-sh-cry-ips-sa-empty/m-p/3917149

 

0 Helpful

Lebon Mudumba
Level 1
Level 1
In response to Rob Ingram

‎08-31-2019 08:49 AM

Still no solution Sir,
I am sorry
Would you please check out this result of UDP?
SacodeFw# packet-tracer input inside udp 192.168.179.51 500 10.226.22.160 500

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.226.22.160 255.255.255.255 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.179.0 255.255.255.0 outside host 10.226.22.160
NAT exempt
translate_hits = 63, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface ssh 192.168.179.51 ssh netmask 255.255.255.255
match tcp inside host 192.168.179.51 eq 22 outside any
static translation to 41.79.225.174/22
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (41.79.225.174 [Interface PAT])
translate_hits = 1207, untranslate_hits = 3924
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Lebon Mudumba
Level 1
Level 1
In response to Rob Ingram

‎08-31-2019 08:51 AM

The seconde is the route result
SacodeFw# packet-tracer input inside udp 192.168.179.51 500 41.79.47.28 500

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 41.79.47.28 255.255.255.255 outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface ssh 192.168.179.51 ssh netmask 255.255.255.255
match tcp inside host 192.168.179.51 eq 22 outside any
static translation to 41.79.225.174/22
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (41.79.225.174 [Interface PAT])
translate_hits = 1771, untranslate_hits = 6785
Additional Information:
Dynamic translate 192.168.179.51/500 to 41.79.225.174/335 using netmask 255.255.255.255

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21727, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0 Helpful

Rob Ingram
VIP
VIP
In response to Lebon Mudumba

‎08-31-2019 09:01 AM

You've not answered the last question from your original post and provided the output from packet-tracer not a packet capture:-

 

"Do you have a device in front of your ASA with an ACL that could be blocking communication (UDP/500)?"

 

"Can take a packet capture on the ASA to/from the IP addresses of the VPN peers and upload the pcap file?"

0 Helpful

Lebon Mudumba
Level 1
Level 1
In response to Rob Ingram

‎08-31-2019 09:14 AM

Do you mind to direct me on how to take a packet capture and generate a pcpa file.
I am accessing the firewall remotely
Thanks for your help sir
0 Helpful

Rob Ingram
VIP
VIP
In response to Lebon Mudumba

‎08-31-2019 09:36 AM 

access-list CAP_ACL extended permit ip host <your ip> host <peer1>
access-list CAP_ACL extended permit ip host <peer1> host <your ip>
access-list CAP_ACL extended permit ip host <your ip> host <peer2>
access-list CAP_ACL extended permit ip host <peer2> host <your ip>

capture CAP1 interface OUTSIDE access-list CAP_ACL

 

Generate some traffic from a laptop inside the network to attempt to establish the VPN tunnel to the peers. Also run a ping from the ASA to the peer's public IP address. Then after a while run the following command.

 

show capture CAP1 and upload the output

Once you've finished with the packet capture, stop the packet capture using "no capture CAP1"

 

0 Helpful
Customers Also Viewed These Support Documents