Advice on overcoming implicit deny rule for vpn on Cisco 5512-x ASA

jreynolds4 · ‎11-09-2022

I was tasked with the setup of a site-to-site VPN on a 5512 ASA. I have my local network x.x.x.0/24 with static NAT to x.x.x.0/24 out to a remote network group including two /24 networks and a host.

The tunnel is configured as bi-directional with the protected networks being the NAT x.x.x.0/24(local) and the Remote Net Group.

Packet-tracer shows an acl DROP as a result of a "configured rule." See below.

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa06ae7c0, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7fffa0b435a0, reverse, flags=0x0, protocol=0
src ip/id=10.191.18.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=199.79.127.3, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
<--- More --->

output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

My research tells me that this is a result of the implicit deny rule. I created an Out to In acl permitting ip from the Remote Network to the NAT but the result of the packet trace was the same.

I then created another Out to In acl permitting ip from the Remote Network to the "Real" local network with still the same result.

Can anyone help me out with this? I have exactly no experience with this Cisco appliance and although I have built many VPN's on the Cisco Firepower using FMC successfully, this one has me stumped.

Rob Ingram · ‎11-09-2022

@jreynolds4 by default the ASA will permit VPN traffic, assuming the command "sysopt connection permit-vpn" is configured (it's hidden in the running-configuration if in a default state), this command overrides interface ACLs, so if configured, explictly permitting traffic over the VPN would not be necessary.

Can you provide the full output of packet-tracer and the VPN/NAT configuration.

jreynolds4 · ‎11-09-2022

Thank you so much, Rob. Please see the attachment for full packet trace.

Could the sysopt command have any negative affect on the other VPN's on the ASA or the DMZ running?

I have been using ASDM to config. My CLI knowledge is not what it should be. Can you share the command to show VPN/NAT config? show ipsec sa crytomap ? Maybe?

Rob Ingram · ‎11-09-2022

@jreynolds4 is the crypto ACL that defines the interesting traffic to encrypt configured to use the NAT range rather than the original source? Is that mirrored on the remote peer?

Run "show crypto ipsec sa" and provide the output.

Run "show run crypto" and "show nat detail" and "show run access-list" < just provide the ACL related to the VPN.

The sysopt command just ignores the interface ACLs for encrypted (VPN) traffic, so unlikely to have an impact on DMZ traffic. If you disable that command, then it would impact all your VPNs.

jreynolds4 · ‎11-09-2022

show nat detail

30 (inside) to (outside) source static MultiCare_WHH_Local172.27.0.0 MultiCareWHHnat destination static MultiCare_Remote_Network_Group MultiCare_Remote_Network_Group no-proxy-arp
translate_hits = 2639, untranslate_hits = 2640
Source - Origin: 172.27.0.0/16, Translated: 10.191.18.0/24
Destination - Origin: 199.79.114.0/24, 199.79.116.0/24, 199.79.127.3/32, Translated: 199.79.114.0/24, 199.79.116.0/24, 199.79.127.3/32
31 (Imaging-Network) to (outside) source static MultiCare_Rad_Local192.168.196.0 MultiCareRadNAT destination static MultiCare_Remote_Network_Group MultiCare_Remote_Network_Group no-proxy-arp
translate_hits = 13, untranslate_hits = 14
Source - Origin: 192.168.196.0/24, Translated: 10.191.19.0/24
Destination - Origin: 199.79.114.0/24, 199.79.116.0/24, 199.79.127.3/32, Translated: 199.79.114.0/24, 199.79.116.0/24, 199.79.127.3/32

jreynolds4 · ‎11-09-2022

MultiCare_WHH_Local172.27.0.0 = 172.27.0.0/16

MultiCareWHHnat = 10.191.18.0/24

MultiCare_Rad_Local192.168.196.0 = 192.168.196.0/24

MultiCareRadNAT = 10.191.19.0/24

30 (inside) to (outside) source static MultiCare_WHH_Local172.27.0.0 MultiCareWHHnat destination static MultiCare_Remote_Network_Group MultiCare_Remote_Network_Group no-proxy-arp
translate_hits = 2639, untranslate_hits = 2640
31 (Imaging-Network) to (outside) source static MultiCare_Rad_Local192.168.196.0 MultiCareRadNAT destination static MultiCare_Remote_Network_Group MultiCare_Remote_Network_Group no-proxy-arp
translate_hits = 13, untranslate_hits = 14

jreynolds4 · ‎11-09-2022

show run access-list EXTENDED are disabled. I was trying everything

access-list outside_cryptomap_18 extended permit ip object-group MultiCareNATgroup object-group MultiCare_Remote_Network_Group
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCare_WHH_Local172.27.0.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCareWHHnat inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCare_WHH_Local172.27.0.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCareWHHnat inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCare_WHH_Local172.27.0.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCareWHHnat inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCare_Rad_Local192.168.196.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.114.0_24 object MultiCareRadNAT inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCare_Rad_Local192.168.196.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.116.0_24 object MultiCareRadNAT inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCare_Rad_Local192.168.196.0 inactive
access-list MCout_in1 extended permit ip object MultiCare199.79.127.3_32 object MultiCareRadNAT inactive

More output to come

Rob Ingram · ‎11-09-2022

@jreynolds4 I assume you've run packet-tracer a couple of times? You need to run it twice, the first time will establish the tunnel (the output would be a drop) and the second should work (assuming no issues).

Provide the output of "show crypto ipsec sa" relating to this VPN peer.

Can you provide the output of "show run object" and "show run object-group" < just provide the objects related to MultiCareNATgroup, object-group MultiCare_Remote_Network_Group and MultiCareWHHnat.

jreynolds4 · ‎11-09-2022

ran the packet-tracer several times with the same result

DS9# show crypto ipsec sa peer 199.79.112.4

There are no ipsec sas for peer 199.79.112.4

This is not true.

show run object

object network MultiCare199.79.114.0_24
subnet 199.79.114.0 255.255.255.0
description MultiCare Remote Object One
object network MultiCare199.79.116.0_24
subnet 199.79.116.0 255.255.255.0
description MultiCare Remote Object Two
object network MultiCare199.79.127.3_32
host 199.79.127.3
description MultiCare Remote Object Three
object network MultiCare_NAT_to_address
subnet 10.191.18.0 255.255.254.0
description WHH Primary Network NAT for MultiCare VPN
object network MultiCare_Rad_Local192.168.196.0
subnet 192.168.196.0 255.255.255.0
description Local Radiology Network for MultiCare Tunnel
object network MultiCare_WHH_Local172.27.0.0
subnet 172.27.0.0 255.255.0.0
description Local WHH Primary Network for MultiCare Tunnel
object network MultiCareRadNAT
subnet 10.191.19.0 255.255.255.0
object network MultiCareWHHnat
subnet 10.191.18.0 255.255.255.0

show run object-group

object-group network MultiCare_Local_Net_PreNAT
description 192.168.196.0 and 172.27.0.0 Networks for Site-to-Site VPN
network-object object MultiCare_Rad_Local192.168.196.0
network-object object MultiCare_WHH_Local172.27.0.0
object-group network MultiCare_Remote_Network_Group
description MultiCare remote networks MultiCare site-to-site
network-object object MultiCare199.79.114.0_24
network-object object MultiCare199.79.116.0_24
network-object object MultiCare199.79.127.3_32
object-group network MultiCareNATgroup
description rad 10.191.19.0 and whh 10.191.18.0 to make 10.191.18 mask 255.255.254.0
network-object object MultiCareRadNAT
network-object object MultiCareWHHnat

jreynolds4 · ‎11-09-2022

I thank you so much, Rob, for taking the time to look this over. It seems odd to me that even though I can see the peer in the VPN config on the ASDM, it does not show when using CLI. I am wondering it I have messed with things soooo much via ASDM that I have "broken" something. This did happen to me when working on another tunnel via FMC. I am going to completely remove all things having to do with this tunnel, save to flash, and start anew.
I think the most important thing is that I now know from someone knowledgeable that indeed no ACL is necessary. I have to take off for the rest of the day. Thank you again for your willingness to share your knowledge. I will check back in on this later this evening.

MHM Cisco World · ‎11-13-2022

friend still this issue not solve ???

jreynolds4 · ‎11-14-2022

I am going to be re-building the tunnel later today. As a temp fix I stood up an alternative tunnel on my Cisco FTD. I will need to get the tunnel up on the ASA due to the fact that our highest speed ISP runs through it. Fingers crossed, it will be up and running on the ASA by tomorrow evening.