04-10-2023 11:54 AM
Hello.
Despite the L2L tunnel remote vendor stating that his side is not blocking anything, I am unable to telnet from an ASA adjacent device (I cannot telnet from an ASA), to tunnelled server endpoint 153.0.0.1:1234 .
---
I created the below ACL entry in the access-list "inside-in"
ASA(config)# access-list inside-in permit ip any host 153.0.0.1
I ran a packet trace from the ASA using source inteface of the inside ASA interface.
packet-tracer input Inside tcp 172.16.2.11 7777 153.0.0.1 1234
This stated that all checks are ALLOW (fine).
The route to 153.0.0.1 was a default route to the www (but production traffic is flowing trough the tunnel.).
I inserted a route to this destination 153.0.0.1, with the next hop as the tunnel outside IP-address 153.0.7.7
This did not solve symptom. I deleted the above route.
I expect there is some sort of NAT translation mapping, along with a a related ACL that is causing this symptom. My guess is that this is routing related.
May you please assist?
Thank you.
04-10-2023 11:59 AM
@jmaxwellUSAF don't run tests from the ASA itself, allow perform testing "through" the ASA. Telnet from the LAN switch behind the ASA or a PC.
Run packet-tracer again, use a LAN IP address (not the ASA's interface IP address) that is in the crypto ACL and provide the output for review.
I assume the VPN is established correctly? and the encap|decap counters are increasing?
04-10-2023 01:24 PM
"Run packet-tracer again, use a LAN IP address (not the ASA's interface IP address) that is in the crypto ACL and provide the output for review."
I did that on the ASA--
"I ran a packet trace from the ASA using source interface of the inside ASA interface.
packet-tracer input Inside tcp 172.16.2.11 7777 153.0.0.1 1234
This stated that all checks are ALLOW (fine)."
--Is above the correct syntax? (The command demanded that I insert an ASA interface-- I used inside, as shown above).
Suggestions?
04-10-2023 01:37 PM
@jmaxwellUSAF yes you must define the source interface. I meant don't define the source IP as the ASAs IP address.
Is the VPN already up? When running packet tracer over a VPN you must run it twice, unless the tunnel is already up.
Run a packet capture on the ASA, see if you get a connection reset from the peer.
04-10-2023 12:00 PM
Telnet through l2l vpn from asa to server?
Whcih asa interface you use as source of telnet traffic ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide