cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

9041
Views
0
Helpful
24
Replies
Rising star

Re: IPSEC VPN Setup on ASA 5510

please run the capture on Inside interface first to confirm that the packet is received when you ping from a internal host to client.

Beginner

Re: IPSEC VPN Setup on ASA 5510

ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7b0000, priority=111, domain=permit, deny=true

        hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------
ASAVPN# packet input inside tcp 192.168.56.10 http 192.168.49.29 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.48.0    255.255.252.0   Inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f6650, priority=111, domain=permit, deny=true
        hits=9, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
------------------------------
ASAVPN# packet input inside tcp 192.168.49.29 http 192.168.56.10 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.10   255.255.255.255 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac019928, priority=12, domain=permit, deny=false
        hits=3, user_data=0xa89f6e40, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true
        hits=191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip Inside 192.168.48.0 255.255.252.0 Outside 192.168.56.0 255.255.255.0
    NAT exempt
    translate_hits = 4, untranslate_hits = 29
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabfaa238, priority=6, domain=nat-exempt, deny=false
        hits=3, user_data=0xabd9c480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.48.0, mask=255.255.252.0, port=0
        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac01aba8, priority=0, domain=nat, deny=false
        hits=3, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabd9bb98, priority=0, domain=host, deny=false
        hits=137, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac00e338, priority=70, domain=encrypt, deny=false
        hits=2, user_data=0x2f37c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xabf0ba20, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x31afc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.56.10, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true
        hits=449, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 577, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
---------------
ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.0    255.255.255.0   Outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7b0000, priority=111, domain=permit, deny=true
        hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Beginner

Re: IPSEC VPN Setup on ASA 5510

Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.

Rising star

Re: IPSEC VPN Setup on ASA 5510

Please use

packet input inside tcp 192.168.49.29 http 192.168.56.10 http detaile

We are troubleshoot the direction from internal host to vpn client.

accesss-list cap permit ip host 192.168.56.0 255.255.255.0

accesss-list cap permit ip 192.168.56.0 255.255.255.0 host

capture in access-list cap interface Inside

Then issue the ping from internal host to vpn client.

show capture in    << < will list the packet captured.

Beginner

Re: IPSEC VPN Setup on ASA 5510

0 packet captured

0 packet shown

Beginner

Re: IPSEC VPN Setup on ASA 5510

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac00ec78, priority=12, domain=capture, deny=false

        hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f5c10, priority=1, domain=permit, deny=false

        hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true

        hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabfaa3a8, priority=12, domain=capture, deny=false

        hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.49.29, mask=255.255.255.255, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0

    NAT exempt

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false

        hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.48.0, mask=255.255.240.0, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac01aba8, priority=0, domain=nat, deny=false

        hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabd9bb98, priority=0, domain=host, deny=false

        hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabfa9e58, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.56.10, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true

        hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xac0197f8, priority=12, domain=capture, deny=false

        hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.56.0, mask=255.255.255.0, port=0

        dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 800, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

Highlighted
Beginner

Re: IPSEC VPN Setup on ASA 5510

1 packet captured

   1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192

1 packet shown

Captured packet showed up after I ran the packet trace.

Rising star

Re: IPSEC VPN Setup on ASA 5510

Ok, so the problem is that the packet did not reach ASA inside interface when internal host sent the traffic to vpn client.

You need check your internal network hop by hop to see why the packet is not forwarded to ASA.

Beginner

Re: IPSEC VPN Setup on ASA 5510

Ok,

I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else.   Can't view intranet, browse file shares, etc.

Rising star

Re: IPSEC VPN Setup on ASA 5510

Ok. at lease we made some progress.

If the server is pingable, vpn client does have the ip connectivity. You might need to check if DNS works o not.

From your configuration, you configured "default-group-policy ourpolicy" but I did not see any group-policy in the configuration with "ourpolicy".

After vpn client is UP, you can try if you can reach the internal server via DNS name.