Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
0
Replies

ASA return traffic not matching site to site cryptomap

George Mason
Level 1
Level 1

‎05-27-2021 04:31 AM - edited ‎05-27-2021 04:32 AM

Hi,

I have a site to site VPN configured between two ASA 5508X's. There is network (subnet) on site A and three networks on site B. Phases 1 & 2 come up no problem and I can ping across the tunnel for 2 of the 3 networks. 

With the third network, if I try to ping from site A to site B I can see packets being encrypted in that direction, but there is no return traffic. Running packet-tracer on site B indicates that the traffic is blocked by the implicit rule on the relevant interface of the ASA.

I have checked the crypto ACLs match in both directions and that the inbound ACL on the site B network allows all traffic to site A. Not really sure where to go with this so hoping for some help from the community.

Site A relevant sanitised config

object-group network SITE_A-LAN
 network-object 192.168.20.0 255.255.255.0

object network CUST-SERVER-NAT
 host 1.2.3.132

object-group network CUST-NETS
 network-object object CUST-SITE_B-LAN
 network-object object CUST-SITE_C-LAN
 network-object object CUST-SITE_C-DMZ
 network-object object CUST-SITE_B-DMZ
 network-object object CUST-SITE_B-DMZ2-NET

access-list CUST-SITE_B-CRYPTOMAP extended permit ip object-group SITE_A-LAN 192.168.30.0 255.255.255.0
access-list CUST-SITE_B-CRYPTOMAP extended permit ip object-group SITE_A-LAN object CUST-SITE_B-DMZ2-NET
access-list CUST-SITE_B-CRYPTOMAP extended permit ip object-group SITE_A-LAN object CUST-SITE_B-DMZ

nat (CUST,OUTSIDE) source static SITE_A-LAN SITE_A-LAN destination static CUST-NETS CUST-NETS no-proxy-arp description NAT EXEMPT CUST SITE A TO CUST LANS
nat (CUST,OUTSIDE) source static CUST-SERVER CUST-SERVER-NAT
!
nat (CUST,OUTSIDE) after-auto source dynamic SITE_A-LAN interface description PAT TRAFFIC FROM CUST NET -> OUTSIDE

Site B relevant sanitised config

object network SITE_B-DMZ2
 subnet 192.168.31.0 255.255.255.0

object network SITE_B-DMZ
 subnet 192.168.35.0 255.255.255.0

object network SITE_A-LAN
 subnet 192.168.20.0 255.255.255.0

object-group network TUNNELLED-NETWORKS
 network-object object SITE_A-LAN2
 network-object object SITE_C-LAN
 network-object object SITE_D-LAN
 network-object object SITE_C-DMZ
 network-object object SITE_A-LAN1

access-list SITE_A-CRYPTOMAP extended permit ip object SITE_B-LAN object SITE_A-LAN
access-list SITE_A-CRYPTOMAP extended permit ip object SITE_B-DMZ object SITE_A-LAN
access-list SITE_A-CRYPTOMAP extended permit ip object SITE_B-DMZ2 object SITE_A-LAN

access-list DMZ2-IN remark TRAFFIC ARRIVING AT DMZ2 INTERFACE
access-list DMZ2-IN extended permit icmp 192.168.31.0 255.255.255.0 any
access-list DMZ2-IN extended permit ip 192.168.31.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list DMZ2-IN extended deny ip any object-group RFC1918-NETS
access-list DMZ2-IN extended permit ip 192.168.31.0 255.255.255.0 any

nat (DMZ2,OUTSIDE) source static SITE_B-DMZ2 SITE_B-DMZ2 destination static TUNNELLED-NETWORKS TUNNELLED-NETWORKS

I can see from debugging site B that there are no packets encrypted in the direction site B -> site A:

SITE_B-ASA# sh crypto ipsec sa peer 1.2.3.220
peer address: 1.2.3.220
    Crypto map tag: OUTSIDE-MAP, seq num: 20, local addr: 1.2.3.130

      access-list SITE_A-CRYPTOMAP extended permit ip 192.168.31.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.31.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 1.2.3.220


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

Packet tracer at site B says that the return traffic seems to fail to pass the interface ACL:

SITE_B-ASA# packet-tracer input DMZ2 icmp 192.168.31.10 0 0 192.168.20.11

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ2,OUTSIDE) source static DMZ2-LAN DMZ2-LAN destination static TUNNELLED-NETWORKS TUNNELLED-NETWORKS
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.20.11/0 to 192.168.20.11/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ2
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 I'm sure there's something really obvious wrong here but I have no idea what it is. Been looking for hours. Would really appreciate some insight from the community!

Thanks in advance

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents