04-23-2012 12:43 PM
I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic. When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.
I've never had this issue on a 5505 o5 5510 before and I've tried everything I could possibly think of. Anyone out there have any ideas?
04-23-2012 09:48 PM
The config would help.
I'd expect a crypto map (which is applied to an interface) to match addresses (source-destination) as specified in an access-list.
04-24-2012 07:23 AM
Thanks, I'll grab the config and upload it as soon as I get back to my office!
04-25-2012 01:54 PM
Here's my config. I hope I got it cleaned of any potential dangers!
ASA Version 8.2(5)
!
hostname asa5510
domain-name ntfamily.com
names
name 10.11.100.0 Triggerfish description Triggerfish
name 192.168.200.254 Default-LAN-Gateway description Voice Gateway - PtP Router
name 192.168.202.0 ADA-Network description 909 Felix
name 192.168.204.0 Cameron-Network description 101 W 3rd Ave
name 192.168.203.0 Maryville-Network description 109 E Summit Drive
name 192.168.205.0 Colgan-Network description 3400 Frederick
name 192.168.206.0 FamilyPlanning-Network description 1332 N 36th St
name 192.168.200.253 Barracuda description Barracuda Filter
name 192.168.200.7 Exchange description Exchange Server
name 192.168.200.29 Video-1 description Video 1
name 192.168.201.250 Citrix-New description Citrix New
name 192.168.201.15 Security-Server description Security Server
name 192.168.203.29 Video-2 description Video 2
name XXX.XXX.XXX.131 WAN-131 description XXX.XXX.XXX.131
name XXX.XXX.XXX.132 WAN-132 description XXX.XXX.XXX.132
name XXX.XXX.XXX.133 WAN-133 description XXX.XXX.XXX.133
name XXX.XXX.XXX.134 WAN-134 description XXX.XXX.XXX.134
name XXX.XXX.XXX.135 WAN-135 description XXX.XXX.XXX.135
name XXX.XXX.XXX.136 WAN-136 description XXX.XXX.XXX.136
name XXX.XXX.XXX.137 WAN-137 description XXX.XXX.XXX.137
name XXX.XXX.XXX.138 WAN-138 description XXX.XXX.XXX.138
name XXX.XXX.XXX.139 WAN-139 description XXX.XXX.XXX.139
name XXX.XXX.XXX.140 WAN-140 description XXX.XXX.XXX.140
name XXX.XXX.XXX.141 WAN-141 description XXX.XXX.XXX.141
name XXX.XXX.XXX.142 WAN-142 description XXX.XXX.XXX.142
name 192.168.204.29 Video-3 description Video 3
name 172.18.5.64 NHS description NHS LAN
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.201.254 255.255.254.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ntfamily.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Inside-Networks
description Networks behind the firewall
network-object 192.168.200.0 255.255.254.0
network-object ADA-Network 255.255.255.0
network-object Colgan-Network 255.255.255.0
network-object FamilyPlanning-Network 255.255.255.0
network-object NHS 255.255.255.240
object-group service terminal-services tcp
description Windows Terminal Services
port-object eq 3389
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
port-object eq citrix-ica
group-object terminal-services
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit ip any host WAN-136
access-list outside_access_in extended permit ip any host WAN-135
access-list outside_access_in extended permit tcp any host WAN-133 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host WAN-132 object-group DM_INLINE_TCP_0
access-list outside_access_in extended permit tcp any host WAN-131 eq smtp
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in extended permit ip any host WAN-134
access-list inside_nat0_outbound extended permit ip object-group Inside-Networks 192.168.208.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.255.0 object-group Inside-Networks
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.254.0 Maryville-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Maryville-Network 255.255.255.0 192.168.200.0 255.255.254.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_nat0_outbound_3 extended permit ip 192.168.200.0 255.255.254.0 Maryville-Network 255.255.255.0
access-list inside_nat0_outbound_3 extended permit ip object-group Inside-Networks 192.168.208.0 255.255.255.0
access-list inside_nat0_outbound_3 extended permit ip 192.168.208.0 255.255.255.0 object-group Inside-Networks
access-list inside_nat0_outbound_3 extended permit ip Maryville-Network 255.255.255.0 192.168.200.0 255.255.254.0
access-list outside_access_out extended permit ip XXX.XXX.XXX.128 255.255.255.240 any
access-list FG-Users_splitTunnelAcl_1 standard permit NHS 255.255.255.240
access-list FG-Users_splitTunnelAcl_1 standard permit 192.168.200.0 255.255.254.0
access-list FG-Users_splitTunnelAcl_1 standard permit ADA-Network 255.255.255.0
access-list FG-Users_splitTunnelAcl_1 standard permit Maryville-Network 255.255.255.0
access-list FG-Users_splitTunnelAcl_1 standard permit Cameron-Network 255.255.255.0
access-list FG-Users_splitTunnelAcl_1 standard permit Colgan-Network 255.255.255.0
access-list FG-Users_splitTunnelAcl_1 standard permit FamilyPlanning-Network 255.255.255.0
access-list MaryvilleL2L standard permit Maryville-Network 255.255.255.0
access-list MaryvilleL2L standard permit 192.168.200.0 255.255.254.0
access-list outside_cryptomap extended permit ip 192.168.200.0 255.255.254.0 Maryville-Network 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool new-vpn 192.168.208.1-192.168.208.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound_3
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) WAN-131 Barracuda netmask 255.255.255.255
static (inside,outside) WAN-132 Citrix-New netmask 255.255.255.255
static (inside,outside) WAN-133 Exchange netmask 255.255.255.255
static (inside,outside) WAN-135 Video-2 netmask 255.255.255.255
static (inside,outside) WAN-136 Video-3 netmask 255.255.255.255
static (inside,outside) WAN-134 Video-1 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
route inside Triggerfish 255.255.255.0 Default-LAN-Gateway 1
route inside NHS 255.255.255.240 Default-LAN-Gateway 1
route inside ADA-Network 255.255.255.0 Default-LAN-Gateway 1
route inside Colgan-Network 255.255.255.0 Default-LAN-Gateway 1
route inside FamilyPlanning-Network 255.255.255.0 Default-LAN-Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http redirect inside 80
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer XXX.XXX.XXX.117
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa5510
proxy-ldc-issuer
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 60
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcprelay timeout 60
!
phone-proxy asdm_phone_proxy
tftp-server address 192.168.201.11 interface inside
tftp-server address 192.168.201.10 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server Default-LAN-Gateway source inside prefer
webvpn
svc image disk0:/anyconnect-wince-ARMv4I-2.5.3055-k9.pkg 1 regex "Windows CE"
svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 2 regex "Linux"
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 3 regex "Intel Mac OS X"
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 4 regex "Windows NT"
group-policy FG-Users internal
group-policy FG-Users attributes
dns-server value 192.168.200.1 192.168.200.2
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value FG-Users_splitTunnelAcl_1
default-domain value ntfamily.com
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-idle-timeout 30
vpn-filter value MaryvilleL2L
vpn-tunnel-protocol IPSec
vpn-simultaneous-logins 100
tunnel-group FG-Users type remote-access
tunnel-group FG-Users general-attributes
address-pool new-vpn
default-group-policy FG-Users
tunnel-group FG-Users ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group XXX.XXX.XXX.117 type ipsec-l2l
tunnel-group XXX.XXX.XXX.117 general-attributes
default-group-policy GroupPolicy1
tunnel-group XXX.XXX.XXX.117 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ffceb52a2d0e934c992a16664f99cb87
: end
05-07-2012 08:55 AM
Can anyone out there help me with this? I'm still having the same issue.
05-07-2012 09:41 AM
Is the source that is being blocked included in either the "access-list inside_nat0_outbound_3" or "access-list inside_nat0_outbound" NAT exemption?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide