11-09-2022 11:20 AM
I was tasked with the setup of a site-to-site VPN on a 5512 ASA. I have my local network x.x.x.0/24 with static NAT to x.x.x.0/24 out to a remote network group including two /24 networks and a host.
The tunnel is configured as bi-directional with the protected networks being the NAT x.x.x.0/24(local) and the Remote Net Group.
Packet-tracer shows an acl DROP as a result of a "configured rule." See below.
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa06ae7c0, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7fffa0b435a0, reverse, flags=0x0, protocol=0
src ip/id=10.191.18.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=199.79.127.3, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
<--- More --->
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
My research tells me that this is a result of the implicit deny rule. I created an Out to In acl permitting ip from the Remote Network to the NAT but the result of the packet trace was the same.
I then created another Out to In acl permitting ip from the Remote Network to the "Real" local network with still the same result.
Can anyone help me out with this? I have exactly no experience with this Cisco appliance and although I have built many VPN's on the Cisco Firepower using FMC successfully, this one has me stumped.
11-09-2022 11:27 AM
@jreynolds4 by default the ASA will permit VPN traffic, assuming the command "sysopt connection permit-vpn" is configured (it's hidden in the running-configuration if in a default state), this command overrides interface ACLs, so if configured, explictly permitting traffic over the VPN would not be necessary.
Can you provide the full output of packet-tracer and the VPN/NAT configuration.
11-09-2022 11:43 AM
Thank you so much, Rob. Please see the attachment for full packet trace.
Could the sysopt command have any negative affect on the other VPN's on the ASA or the DMZ running?
I have been using ASDM to config. My CLI knowledge is not what it should be. Can you share the command to show VPN/NAT config? show ipsec sa crytomap ? Maybe?
11-09-2022 11:52 AM
@jreynolds4 is the crypto ACL that defines the interesting traffic to encrypt configured to use the NAT range rather than the original source? Is that mirrored on the remote peer?
Run "show crypto ipsec sa" and provide the output.
Run "show run crypto" and "show nat detail" and "show run access-list" < just provide the ACL related to the VPN.
The sysopt command just ignores the interface ACLs for encrypted (VPN) traffic, so unlikely to have an impact on DMZ traffic. If you disable that command, then it would impact all your VPNs.
11-09-2022 12:09 PM
11-09-2022 11:55 AM
MultiCare_WHH_Local172.27.0.0 = 172.27.0.0/16
MultiCareWHHnat = 10.191.18.0/24
MultiCare_Rad_Local192.168.196.0 = 192.168.196.0/24
MultiCareRadNAT = 10.191.19.0/24
30 (inside) to (outside) source static MultiCare_WHH_Local172.27.0.0 MultiCareWHHnat destination static MultiCare_Remote_Network_Group MultiCare_Remote_Network_Group no-proxy-arp
translate_hits = 2639, untranslate_hits = 2640
31 (Imaging-Network) to (outside) source static MultiCare_Rad_Local192.168.196.0 MultiCareRadNAT destination static MultiCare_Remote_Network_Group MultiCare_Remote_Network_Group no-proxy-arp
translate_hits = 13, untranslate_hits = 14
11-09-2022 12:05 PM
show run access-list EXTENDED are disabled. I was trying everything
access-list outside_cryptomap_18 extended permit ip object-group MultiCareNATgroup object-group MultiCare_Remote_Network_Group
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCare_WHH_Local172.27.0.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCareWHHnat inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCare_WHH_Local172.27.0.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCareWHHnat inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCare_WHH_Local172.27.0.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCareWHHnat inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCare_Rad_Local192.168.196.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCareRadNAT inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCare_Rad_Local192.168.196.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCareRadNAT inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCare_Rad_Local192.168.196.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCareRadNAT inactive
More output to come
11-09-2022 12:23 PM
@jreynolds4 I assume you've run packet-tracer a couple of times? You need to run it twice, the first time will establish the tunnel (the output would be a drop) and the second should work (assuming no issues).
Provide the output of "show crypto ipsec sa" relating to this VPN peer.
Can you provide the output of "show run object" and "show run object-group" < just provide the objects related to MultiCareNATgroup, object-group MultiCare_Remote_Network_Group and MultiCareWHHnat.
11-09-2022 12:44 PM
ran the packet-tracer several times with the same result
DS9# show crypto ipsec sa peer 199.79.112.4
There are no ipsec sas for peer 199.79.112.4
This is not true.
show run object
object network MultiCare199.79.114.0_24
subnet 199.79.114.0 255.255.255.0
description MultiCare Remote Object One
object network MultiCare199.79.116.0_24
subnet 199.79.116.0 255.255.255.0
description MultiCare Remote Object Two
object network MultiCare199.79.127.3_32
host 199.79.127.3
description MultiCare Remote Object Three
object network MultiCare_NAT_to_address
subnet 10.191.18.0 255.255.254.0
description WHH Primary Network NAT for MultiCare VPN
object network MultiCare_Rad_Local192.168.196.0
subnet 192.168.196.0 255.255.255.0
description Local Radiology Network for MultiCare Tunnel
object network MultiCare_WHH_Local172.27.0.0
subnet 172.27.0.0 255.255.0.0
description Local WHH Primary Network for MultiCare Tunnel
object network MultiCareRadNAT
subnet 10.191.19.0 255.255.255.0
object network MultiCareWHHnat
subnet 10.191.18.0 255.255.255.0
show run object-group
object-group network MultiCare_Local_Net_PreNAT
description 192.168.196.0 and 172.27.0.0 Networks for Site-to-Site VPN
network-object object MultiCare_Rad_Local192.168.196.0
network-object object MultiCare_WHH_Local172.27.0.0
object-group network MultiCare_Remote_Network_Group
description MultiCare remote networks MultiCare site-to-site
network-object object MultiCare199.79.114.0_24
network-object object MultiCare199.79.116.0_24
network-object object MultiCare199.79.127.3_32
object-group network MultiCareNATgroup
description rad 10.191.19.0 and whh 10.191.18.0 to make 10.191.18 mask 255.255.254.0
network-object object MultiCareRadNAT
network-object object MultiCareWHHnat
11-09-2022 01:20 PM
11-13-2022 10:53 AM
friend still this issue not solve ???
11-14-2022 07:47 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide