Solved: Re: Access from local PIX ip to hosts on VPN site

Mikael Sveden · ‎04-08-2013

I have a site to site vpn connection between ASA 5510 and PIX 515 which is working fine. There is no problem for hosts on any side of the tunnel to access a cross. However the local ip (192.168.20.1) on the client interface of my PIX is not allowed to access hosts on the other side of the tunnel.

packet-tracer input client tcp 192.168.20.1 12345 192.168.13.13 80 detailed

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3ec5bc8, priority=500, domain=permit, deny=true

hits=8, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.20.1, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

There must be some setting that I have missed. Any otherip on 192.168.20.0 don't get the same error with packet-tracer. Can someone please help me?

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet1

nameif client

security-level 90

ip address 192.168.20.1 255.255.255.0

interface Ethernet1.21

vlan 21

nameif server

security-level 100

ip address 192.168.21.1 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.10.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

network-object 192.168.13.0 255.255.255.0

access-list 100 extended permit ip client 255.255.255.0 object-group DM_INLINE_NETWORK_1

global (outside) 1 interface

nat (client) 0 access-list 100

nat (client) 1 0.0.0.0 0.0.0.0

nat (server) 0 access-list 100

nat (server) 1 0.0.0.0 0.0.0.0

static (server,client) server server netmask 255.255.255.0

static (client,server) client client netmask 255.255.255.0

access-group client_access_in in interface client

route outside 0.0.0.0 0.0.0.0 95.129.13.1 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set sveden-aes256 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map myvpnmap 10 match address 100

crypto map myvpnmap 10 set pfs group5

crypto map myvpnmap 10 set peer 12.218.14.129

crypto map myvpnmap 10 set transform-set sveden-aes256

crypto map myvpnmap 10 set security-association lifetime seconds 28800

crypto map myvpnmap 10 set security-association lifetime kilobytes 4608000

crypto map myvpnmap 10 set reverse-route

crypto map myvpnmap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 12.218.14.129 type ipsec-l2l

tunnel-group 12.218.14.129 general-attributes

tunnel-group 12.218.14.129 ipsec-attributes

pre-shared-key *

Regards Mikael

Jouni Forss · ‎04-08-2013

Hi,

Are you planning on connecting to this firewall with the IP address 192.168.20.1 for management purposes or why would the interface IP address need to be able to generate connections to the L2L VPN connection?

By default the "packet-tracer" will fail if you use an firewall interface IP address as a source address for the command. So this result is always the same. (Though I havent tried packet-tracer with the below mentioned command enabled)

If you want to access the interface IP 192.168.20.1 through the L2L VPN from the other side then you will have to configure

management-access client

Here is more information about the above command

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

- Jouni

View solution in original post

Jouni Forss · ‎04-08-2013

Hi,