cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3262
Views
0
Helpful
29
Replies

Unable to Ping Hosts Through IPSec Tunnel

cfinotti22
Level 1
Level 1

I have a home lab setup with a PIX 515 running 8.03 code.  I have made several changes over the past week and now when I terminate a VPN connection to the outside interface I am unable to hit any internal resources.  My VPN connection is coming from a 10.22.254.0/24 trying to hit internal nodes at 10.22.1.0/24, see below.  When I terminate a VPN connection against the inside interface it works, so I take it I'm dealing with a NAT issue?   I don't have a clue why Phase 9 is failing:-\  Any help would be great!

-------

access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

-------

global (outside) 1 interface

-------

access-list split extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

-------

packet-tracer input inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2bb3450, priority=0, domain=permit-ip-option, deny=true

        hits=17005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x304ae48, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=17005, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

nat-control

  match ip inside 10.22.1.0 255.255.255.0 outside 10.22.254.0 255.255.255.0

    NAT exempt

    translate_hits = 6, untranslate_hits = 5

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2be2a00, priority=6, domain=nat-exempt, deny=false

        hits=5, user_data=0x2be2960, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=10.22.1.0, mask=255.255.255.0, port=0

        dst ip=10.22.254.0, mask=255.255.255.0, port=0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

nat-control

  match ip inside 10.22.1.0 255.255.255.0 DMZ any

    static translation to 10.22.1.0

    translate_hits = 10, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d52800, priority=5, domain=host, deny=false

        hits=21654, user_data=0x2d51dc8, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.22.1.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

  match ip inside any outside any

    dynamic translation to pool 1 (192.168.20.20 [Interface PAT])

    translate_hits = 2909, untranslate_hits = 9

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d4a7d0, priority=1, domain=nat, deny=false

        hits=16973, user_data=0x2d4a730, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3328000, priority=70, domain=encrypt, deny=false

        hits=0, user_data=0x1efa0cc, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.22.1.0, mask=255.255.255.0, port=0

        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3329a48, priority=69, domain=ipsec-user, deny=true

        hits=37, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 Accepted Solution

Accepted Solutions

No, the nonat ACL only requires defining traffic from the internal network to the

VPN pool.  You should remove the other entries.

Remove:

access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

View solution in original post

29 Replies 29

rahgovin
Level 4
Level 4

Could you check up with your vpn filter for the tunnel? It must be within your group-policy with the command vpn-filter value. If it is present, remove the same with the command vpn-filter none.

For more info on vpn-filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

I did not configuered a VPN filter for this Group Policy, see below.

group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 4.2.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

I am receiving the following error when I ping into the tunnel, is this not a NAT issue?
3  Jul 27 2010    05:36:54    106014    Deny inbound icmp src outside:10.22.254.51 dst inside:10.22.1.15 (type 8, code 0)

It's very strange...  If I do a continuous ping to the IP and it will eventually start responding after 10 minutes or so?

------------
c:\>ping 10.22.1.15 /t

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=61ms TTL=127
Reply from 10.22.1.15: bytes=32 time=52ms TTL=127
Reply from 10.22.1.15: bytes=32 time=98ms TTL=127

------------
Deny when telnetting to a port:

c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...

------------

2 Jul 27 2010 05:59:15    106001    10.22.254.51    3083    10.22.1.15    3389    Inbound TCP connection denied from 10.22.254.51/3083 to 10.22.1.15/3389 flags SYN  on interface outside

------------

can you attach your entire config if its not a prob, u can mask the pub ip's

Thanks for the quick responses!!

Sorry it took so long I had to scrub the config and make a few changes.

Can you post the "show run all group-policy" output?

can you run the following command and post the output of:

show run all | grep sysopt

Thanks.

Nothing displays.

# show run all | grep sysopt
#

The complete config is listed above.

Try configuring ICMP inspection...

policy-map global_policy
class inspection_default
  inspect icmp

It is not an inspection rule.  I can't hit any resources on the inside once I terminate my IPSec connection.

c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...

2    Jul 27 2010    12:13:52    106001    10.22.254.51    2936    10.22.1.15    3389    Inbound TCP connection denied from 10.22.254.51/2936 to 10.22.1.15/3389 flags SYN  on interface outside

I added your policy commands and they did not fix the issue.

It looks like at phase 9 your traffic is blocked by an ACL.  Your VPN traffic should not be subjected to ACLs.  This command may help you here:

sysopt connection permit-vpn

Here's more on the command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

Good luck.

I enabled the command and I'm still being denied.

#sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn

Can you disable nat-control?

#no nat-control

Same issue..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: