Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

9072
Views
0
Helpful
24
Replies
Highlighted
Yudong Wu
Yudong Wu Rising star
Rising star
‎05-13-2011 11:46 AM
‎05-13-2011 11:46 AM

Re: IPSEC VPN Setup on ASA 5510

please run the capture on Inside interface first to confirm that the packet is received when you ping from a internal host to client.

0 Helpful
Reply
klombard
klombard Beginner
Beginner
‎05-13-2011 11:51 AM
‎05-13-2011 11:51 AM

Re: IPSEC VPN Setup on ASA 5510

ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7b0000, priority=111, domain=permit, deny=true

        hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------
ASAVPN# packet input inside tcp 192.168.56.10 http 192.168.49.29 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.48.0    255.255.252.0   Inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f6650, priority=111, domain=permit, deny=true
        hits=9, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
------------------------------
ASAVPN# packet input inside tcp 192.168.49.29 http 192.168.56.10 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.10   255.255.255.255 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac019928, priority=12, domain=permit, deny=false
        hits=3, user_data=0xa89f6e40, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true
        hits=191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip Inside 192.168.48.0 255.255.252.0 Outside 192.168.56.0 255.255.255.0
    NAT exempt
    translate_hits = 4, untranslate_hits = 29
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabfaa238, priority=6, domain=nat-exempt, deny=false
        hits=3, user_data=0xabd9c480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.48.0, mask=255.255.252.0, port=0
        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac01aba8, priority=0, domain=nat, deny=false
        hits=3, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabd9bb98, priority=0, domain=host, deny=false
        hits=137, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac00e338, priority=70, domain=encrypt, deny=false
        hits=2, user_data=0x2f37c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xabf0ba20, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x31afc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.56.10, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true
        hits=449, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 577, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
---------------
ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.0    255.255.255.0   Outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7b0000, priority=111, domain=permit, deny=true
        hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Reply
klombard
klombard Beginner
Beginner
‎05-13-2011 11:53 AM
‎05-13-2011 11:53 AM

Re: IPSEC VPN Setup on ASA 5510

Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.

0 Helpful
Reply
Yudong Wu
Yudong Wu Rising star
Rising star
‎05-13-2011 11:57 AM
‎05-13-2011 11:57 AM

Re: IPSEC VPN Setup on ASA 5510

Please use

packet input inside tcp 192.168.49.29 http 192.168.56.10 http detaile

We are troubleshoot the direction from internal host to vpn client.

accesss-list cap permit ip host 192.168.56.0 255.255.255.0

accesss-list cap permit ip 192.168.56.0 255.255.255.0 host

capture in access-list cap interface Inside

Then issue the ping from internal host to vpn client.

show capture in    << < will list the packet captured.

0 Helpful
Reply
klombard
klombard Beginner
Beginner
‎05-13-2011 12:14 PM
‎05-13-2011 12:14 PM

Re: IPSEC VPN Setup on ASA 5510

0 packet captured

0 packet shown

0 Helpful
Reply
klombard
klombard Beginner
Beginner
‎05-13-2011 12:17 PM
‎05-13-2011 12:17 PM

Re: IPSEC VPN Setup on ASA 5510

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac00ec78, priority=12, domain=capture, deny=false

        hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f5c10, priority=1, domain=permit, deny=false

        hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true

        hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabfaa3a8, priority=12, domain=capture, deny=false

        hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.49.29, mask=255.255.255.255, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0

    NAT exempt

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false

        hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.48.0, mask=255.255.240.0, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac01aba8, priority=0, domain=nat, deny=false

        hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabd9bb98, priority=0, domain=host, deny=false

        hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabfa9e58, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.56.10, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true

        hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xac0197f8, priority=12, domain=capture, deny=false

        hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.56.0, mask=255.255.255.0, port=0

        dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 800, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

0 Helpful
Reply
klombard
klombard Beginner
Beginner
‎05-13-2011 12:19 PM
‎05-13-2011 12:19 PM

Re: IPSEC VPN Setup on ASA 5510

1 packet captured

   1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192

1 packet shown

Captured packet showed up after I ran the packet trace.

0 Helpful
Reply
Yudong Wu
Yudong Wu Rising star
Rising star
‎05-13-2011 12:24 PM
‎05-13-2011 12:24 PM

Re: IPSEC VPN Setup on ASA 5510

Ok, so the problem is that the packet did not reach ASA inside interface when internal host sent the traffic to vpn client.

You need check your internal network hop by hop to see why the packet is not forwarded to ASA.

0 Helpful
Reply
klombard
klombard Beginner
Beginner
‎05-13-2011 12:49 PM
‎05-13-2011 12:49 PM

Re: IPSEC VPN Setup on ASA 5510

Ok,

I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else.   Can't view intranet, browse file shares, etc.

0 Helpful
Reply
Yudong Wu
Yudong Wu Rising star
Rising star
‎05-13-2011 02:50 PM
‎05-13-2011 02:50 PM

Re: IPSEC VPN Setup on ASA 5510

Ok. at lease we made some progress.

If the server is pingable, vpn client does have the ip connectivity. You might need to check if DNS works o not.

From your configuration, you configured "default-group-policy ourpolicy" but I did not see any group-policy in the configuration with "ourpolicy".

After vpn client is UP, you can try if you can reach the internal server via DNS name.

0 Helpful
Reply
Latest Contents
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 11:00 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
#CiscoChat Live: Consumer Perspectives on Data Privacy
Created by Kelli Glass on 12-10-2019 10:55 AM
0
0
0
0
Join us live on Thursday, December 12 at 10:00 am PT (and on demand after) for an in-depth look at the latest Cisco Cybersecurity report. The Cisco 2019 Consumer Privacy Survey shows consumers placing a greater premium on data privacy, providing comp... view more
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here