05-27-2021 04:31 AM - edited 05-27-2021 04:32 AM
Hi,
I have a site to site VPN configured between two ASA 5508X's. There is network (subnet) on site A and three networks on site B. Phases 1 & 2 come up no problem and I can ping across the tunnel for 2 of the 3 networks.
With the third network, if I try to ping from site A to site B I can see packets being encrypted in that direction, but there is no return traffic. Running packet-tracer on site B indicates that the traffic is blocked by the implicit rule on the relevant interface of the ASA.
I have checked the crypto ACLs match in both directions and that the inbound ACL on the site B network allows all traffic to site A. Not really sure where to go with this so hoping for some help from the community.
Site A relevant sanitised config
object-group network SITE_A-LAN network-object 192.168.20.0 255.255.255.0 object network CUST-SERVER-NAT host 1.2.3.132 object-group network CUST-NETS network-object object CUST-SITE_B-LAN network-object object CUST-SITE_C-LAN network-object object CUST-SITE_C-DMZ network-object object CUST-SITE_B-DMZ network-object object CUST-SITE_B-DMZ2-NET access-list CUST-SITE_B-CRYPTOMAP extended permit ip object-group SITE_A-LAN 192.168.30.0 255.255.255.0 access-list CUST-SITE_B-CRYPTOMAP extended permit ip object-group SITE_A-LAN object CUST-SITE_B-DMZ2-NET access-list CUST-SITE_B-CRYPTOMAP extended permit ip object-group SITE_A-LAN object CUST-SITE_B-DMZ nat (CUST,OUTSIDE) source static SITE_A-LAN SITE_A-LAN destination static CUST-NETS CUST-NETS no-proxy-arp description NAT EXEMPT CUST SITE A TO CUST LANS nat (CUST,OUTSIDE) source static CUST-SERVER CUST-SERVER-NAT ! nat (CUST,OUTSIDE) after-auto source dynamic SITE_A-LAN interface description PAT TRAFFIC FROM CUST NET -> OUTSIDE
Site B relevant sanitised config
object network SITE_B-DMZ2 subnet 192.168.31.0 255.255.255.0 object network SITE_B-DMZ subnet 192.168.35.0 255.255.255.0 object network SITE_A-LAN subnet 192.168.20.0 255.255.255.0 object-group network TUNNELLED-NETWORKS network-object object SITE_A-LAN2 network-object object SITE_C-LAN network-object object SITE_D-LAN network-object object SITE_C-DMZ network-object object SITE_A-LAN1 access-list SITE_A-CRYPTOMAP extended permit ip object SITE_B-LAN object SITE_A-LAN access-list SITE_A-CRYPTOMAP extended permit ip object SITE_B-DMZ object SITE_A-LAN access-list SITE_A-CRYPTOMAP extended permit ip object SITE_B-DMZ2 object SITE_A-LAN access-list DMZ2-IN remark TRAFFIC ARRIVING AT DMZ2 INTERFACE access-list DMZ2-IN extended permit icmp 192.168.31.0 255.255.255.0 any access-list DMZ2-IN extended permit ip 192.168.31.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list DMZ2-IN extended deny ip any object-group RFC1918-NETS access-list DMZ2-IN extended permit ip 192.168.31.0 255.255.255.0 any nat (DMZ2,OUTSIDE) source static SITE_B-DMZ2 SITE_B-DMZ2 destination static TUNNELLED-NETWORKS TUNNELLED-NETWORKS
I can see from debugging site B that there are no packets encrypted in the direction site B -> site A:
SITE_B-ASA# sh crypto ipsec sa peer 1.2.3.220 peer address: 1.2.3.220 Crypto map tag: OUTSIDE-MAP, seq num: 20, local addr: 1.2.3.130 access-list SITE_A-CRYPTOMAP extended permit ip 192.168.31.0 255.255.255.0 192.168.20.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.31.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0) current_peer: 1.2.3.220 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0
Packet tracer at site B says that the return traffic seems to fail to pass the interface ACL:
SITE_B-ASA# packet-tracer input DMZ2 icmp 192.168.31.10 0 0 192.168.20.11 Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (DMZ2,OUTSIDE) source static DMZ2-LAN DMZ2-LAN destination static TUNNELLED-NETWORKS TUNNELLED-NETWORKS Additional Information: NAT divert to egress interface OUTSIDE Untranslate 192.168.20.11/0 to 192.168.20.11/0 Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: DMZ2 input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
I'm sure there's something really obvious wrong here but I have no idea what it is. Been looking for hours. Would really appreciate some insight from the community!
Thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide