Solved: Hi miklaszewski,

miklaszewski · ‎12-22-2016

hi Falks,

I am trying to setup VPN tunnel between asa5505 and Draytek Router.

Tunnel is established, however there is no traffic moving as shown below.

ive added below:

- show crypto ipsec sa

- packet-tracer

- my asa5505 running config

about me: I am close to CCNA lvl, asa are bit much at the time, but i am trying to get there

it looks like in phase 10: domain=filter-aaa, deny=true - but my knowledge is really low on this, and i cant find much in internet about it, i would be grateful for any help (draytek and cisco doesn't like each other to much :)

also from asa side:

#########################################################################

ciscoasa(config)# show crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 87.127.x.49

access-list outside_cryptomap_4 extended permit ip 192.168.7.0 255.255.255.0 192.168.1.0 255.255.255.0 55.255.0

local ident (addr/mask/prot/port): (192.168.7.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 94.xx.1.232

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 1, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 1

local crypto endpt.: 87.127.x.49/0, remote crypto endpt.: 94.x.1.232/0

path mtu 1492, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: FB20BECA

current inbound spi : B8D68BF8

inbound esp sas:

spi: 0xB8D68BF8 (3101068280)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }

slot: 0, conn_id: 483328, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 2896

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xFB20BECA (4213227210)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }

slot: 0, conn_id: 483328, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 2896

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

ciscoasa(config)#

#########################################################################

when I use packet-tracer this is what comes up and drops it at phase 10

#########################################################################

ciscoasa(config)# packet-tracer input inside icmp 192.168.7.25 0 8 192.168.1.2$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 78.33.253.8, outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static DRAYTEK_NET DRAYTEK_NET destination static NETWORK_VPN_HARRYS_192.168.1.0 NETWORK_VPN_HARRYS_192.168.1.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.26/0 to 192.168.1.26/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip 192.168.7.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc5d1658, priority=13, domain=permit, deny=false
hits=86290, user_data=0xca2b12e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.7.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static DRAYTEK_NET DRAYTEK_NET destination static NETWORK_VPN_HARRYS_192.168.1.0 NETWORK_VPN_HARRYS_192.168.1.0 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.7.25/0 to 192.168.7.25/0
Forward Flow based lookup yields rule:
in id=0xcc28eb50, priority=6, domain=nat, deny=false
hits=21, user_data=0xcbe0cc98, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.7.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbc8cfe0, priority=0, domain=nat-per-session, deny=true
hits=92929, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc88dda8, priority=0, domain=inspect-ip-options, deny=true
hits=116236, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc88d848, priority=66, domain=inspect-icmp-error, deny=false
hits=3707, user_data=0xcc941760, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcca26660, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=120620, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc94afe0, priority=70, domain=encrypt, deny=false
hits=4, user_data=0x18ae8d4, cs_id=0xccc237c8, reverse, flags=0x0, protocol=0
src ip/id=192.168.7.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 10
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbc87d30, priority=12, domain=filter-aaa, deny=true
hits=20, user_data=0xca2b15b0, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

#########################################################################

my asa5505 running config:

#########################################################################

ciscoasa(config)# show run

: Saved

:

: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

:

ASA Version 9.2(4)

!

hostname ciscoasa

names

ip local pool VPN_POOL 192.168.7.80-192.168.7.88 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.7.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ENTA

ip address 87.127.x.49 255.255.255.255 pppoe setroute

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network IP_ENTA_87.127.x.54

host 87.127.x.54

object network IP_ENTA_87.127.x.53

host 87.127.x.53

object network IP_ENTA_87.127.x.50

host 87.127.x.50

object network DRAYTEK_NET

subnet 192.168.7.0 255.255.255.0

object network IP_Digital_Ocean

host 178.62.x.139

object network Cisco_VoIP_SPA525G

host 192.168.7.103

object network IP_HARRYS_94.x.1.232

host 94.x.1.232

object network IPsec_Pier_Office_Network

subnet 10.0.0.0 255.255.255.0

object network Remote_Pier_Office_IP_79.77.x.150

host 79.77.x.150

object network IP_IPsec_Pier_Office

host 79.77.x.150

object network IP_ENTA_87.127.x.49

host 87.127.x.49

object network IP_SKYNET_AP_192.168.7.104

host 192.168.7.104

object network IP_ENTA_87.127.x.51

host 87.127.x.51

object network IP_OwnCloud_192.168.7.51

host 192.168.7.51

object network NETWORK_OBJ_192.168.7.80_28

subnet 192.168.7.80 255.255.255.240

object network NETWORK_ENTANET_87.127.x.48

subnet 87.127.x.48 255.255.255.248

object network BADGUYS_116.31.116.48

subnet 116.31.116.0 255.255.255.0

object network IP_SIP_ENTA_87.127.x.101

host 87.127.x.101

object network IP_DNS_8.8.8.8

host 8.8.8.8

object network IP_SIP_EVOSOFT_149.202.x.31

host 149.202.x.31

object network NETWORK_VPN_HARRYS_192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.7.0_24

subnet 192.168.7.0 255.255.255.0

object network IP_BARTRON_192.168.7.115

host 192.168.7.115

object-group network !!!BADGUYS!!!

network-object object BADGUY_116.31.116.48

object-group network SIP

network-object object IP_SIP_ENTA_87.127.x.101

network-object object IP_SIP_EVOSOFT_149.202.x.31

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit object-group TCPUDP object IP_DNS_8.8.8.8 192.168.7.0 255.255.255.0

access-list inside_access_in_1 extended permit ip 192.168.7.0 255.255.255.0 any

access-list global_access extended permit object-group TCPUDP object IP_Digital_Ocean any

access-list global_access extended permit ip object IP_HARRYS_94.x.1.232 any

access-list global_access extended deny ip object-group !!!BADGUYS!!! any inactive

access-list global_access extended permit ip object IP_DNS_8.8.8.8 any

access-list global_access extended permit object-group TCPUDP object-group SIP object Cisco_VoIP_SPA525G

access-list outside_cryptomap_4 extended permit ip object DRAYTEK_NET object NETWORK_VPN_HARRYS_192.168.1.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp inside 192.168.6.6 7081.05b8.44b2

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.7.80_28 NETWORK_OBJ_192.168.7.80_28 no-proxy-arp route-lookup

nat (inside,outside) source static DRAYTEK_NET DRAYTEK_NET destination static NETWORK_VPN_HARRYS_192.168.1.0 NETWORK_VPN_HARRYS_192.168.1.0 no-proxy-arp route-lookup

!

object network DRAYTEK_NET

nat (any,outside) dynamic interface dns

object network Cisco_VoIP_SPA525G

nat (any,any) static IP_ENTA_87.127.x.53 net-to-net dns

object network IP_OwnCloud_192.168.7.51

nat (any,any) static IP_ENTA_87.127.x.51 net-to-net

object network IP_BARTRON_192.168.7.115

nat (any,any) static IP_ENTA_87.127.x.54 net-to-net

access-group inside_access_in_1 in interface inside

access-group outside_access_in in interface outside

access-group global_access global

router rip

network 192.168.6.0

passive-interface outside

version 2

!

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.7.0 255.255.255.0 inside

http 94.x.1.232 255.255.255.255 outside

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des