cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1821
Views
0
Helpful
6
Replies

Allow VPN traffic through firewall ASA 5505

Lebon Mudumba
Level 1
Level 1

Hello community.

I am new using Cisco ASA, I am managing a platform that established traffic with 2 different mobile operators, All was working well, them after several power-cup, the VPN can't be initiated, however, I am able to ping the Mobile operators routes but not the end device which host the services that we are using.

I please ask for help.

Stay blessed

 

Lebon

6 Replies 6

Still no solution Sir,
I am sorry
Would you please check out this result of UDP?
SacodeFw# packet-tracer input inside udp 192.168.179.51 500 10.226.22.160 500

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.226.22.160 255.255.255.255 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.179.0 255.255.255.0 outside host 10.226.22.160
NAT exempt
translate_hits = 63, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface ssh 192.168.179.51 ssh netmask 255.255.255.255
match tcp inside host 192.168.179.51 eq 22 outside any
static translation to 41.79.225.174/22
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (41.79.225.174 [Interface PAT])
translate_hits = 1207, untranslate_hits = 3924
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The seconde is the route result
SacodeFw# packet-tracer input inside udp 192.168.179.51 500 41.79.47.28 500

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 41.79.47.28 255.255.255.255 outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface ssh 192.168.179.51 ssh netmask 255.255.255.255
match tcp inside host 192.168.179.51 eq 22 outside any
static translation to 41.79.225.174/22
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (41.79.225.174 [Interface PAT])
translate_hits = 1771, untranslate_hits = 6785
Additional Information:
Dynamic translate 192.168.179.51/500 to 41.79.225.174/335 using netmask 255.255.255.255

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21727, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

You've not answered the last question from your original post and provided the output from packet-tracer not a packet capture:-

 

"Do you have a device in front of your ASA with an ACL that could be blocking communication (UDP/500)?"

 

"Can take a packet capture on the ASA to/from the IP addresses of the VPN peers and upload the pcap file?"

Do you mind to direct me on how to take a packet capture and generate a pcpa file.
I am accessing the firewall remotely
Thanks for your help sir

access-list CAP_ACL extended permit ip host <your ip> host <peer1>
access-list CAP_ACL extended permit ip host <peer1> host <your ip>
access-list CAP_ACL extended permit ip host <your ip> host <peer2>
access-list CAP_ACL extended permit ip host <peer2> host <your ip>

capture CAP1 interface OUTSIDE access-list CAP_ACL

 

Generate some traffic from a laptop inside the network to attempt to establish the VPN tunnel to the peers. Also run a ping from the ASA to the peer's public IP address. Then after a while run the following command.

 

show capture CAP1 and upload the output

Once you've finished with the packet capture, stop the packet capture using "no capture CAP1"

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: