Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
2
Helpful
4
Replies

Cannot telnet through ASA tunnel to server. Please assist?

jmaxwellUSAF
VIP
VIP

‎04-10-2023 11:54 AM

Hello.

Despite the L2L tunnel remote vendor stating that his side is not blocking anything, I am unable to telnet from an ASA adjacent device (I cannot telnet from an ASA), to tunnelled server endpoint 153.0.0.1:1234 .

---

I created the below ACL entry in the access-list "inside-in"
ASA(config)# access-list inside-in permit ip any host 153.0.0.1

I ran a packet trace from the ASA using source inteface of the inside ASA interface.
packet-tracer input Inside tcp 172.16.2.11 7777 153.0.0.1 1234
This stated that all checks are ALLOW (fine).

The route to 153.0.0.1 was a default route to the www (but production traffic is flowing trough the tunnel.).

I inserted a route to this destination 153.0.0.1, with the next hop as the tunnel outside IP-address 153.0.7.7
This did not solve symptom. I deleted the above route.

I expect there is some sort of NAT translation mapping, along with a a related ACL that is causing this symptom. My guess is that this is routing related.

May you please assist?

Thank you.

Labels:
4 Replies 4

Rob Ingram
VIP
VIP

‎04-10-2023 11:59 AM

@jmaxwellUSAF don't run tests from the ASA itself, allow perform testing "through" the ASA. Telnet from the LAN switch behind the ASA or a PC.

Run packet-tracer again, use a LAN IP address (not the ASA's interface IP address) that is in the crypto ACL and provide the output for review.

I assume the VPN is established correctly? and the encap|decap counters are increasing?

jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎04-10-2023 01:24 PM

"Run packet-tracer again, use a LAN IP address (not the ASA's interface IP address) that is in the crypto ACL and provide the output for review."

I did that on the ASA-- 

"I ran a packet trace from the ASA using source interface of the inside ASA interface.
packet-tracer input Inside tcp 172.16.2.11 7777 153.0.0.1 1234
This stated that all checks are ALLOW (fine)."

--Is above the correct syntax? (The command demanded that I insert an ASA interface-- I used inside, as shown above).

Suggestions?

0 Helpful

Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎04-10-2023 01:37 PM

@jmaxwellUSAF yes you must define the source interface. I meant don't define the source IP as the ASAs IP address.

Is the VPN already up? When running packet tracer over a VPN you must run it twice, unless the tunnel is already up.

Run a packet capture on the ASA, see if you get a connection reset from the peer.

0 Helpful

MHM Cisco World
VIP
VIP

‎04-10-2023 12:00 PM

Telnet through l2l vpn from asa to server?

Whcih asa interface you use as source of telnet traffic ??

0 Helpful
Customers Also Viewed These Support Documents