Cisco ASA 5510 S2S VPN - acl-drop issue

mthomaz · ‎02-22-2018

I am setting up a s2s vpn tunnel from my ASA 5510, but am getting error.

ASA version: 9.6
ASDM: 7.1

Site A (my ASA firewall):

- My ASA external ip: 201.201.201.201
- Local network host: 192.168.2.5 `(There is a NAT rule to send all
traffic to the internet from host 192.168.2.5 using ip
201.201.201.202)`.
- Remote network host: 202.202.202.265 (Site B host)

- Peer IP address: 202.202.202.201
- ESP-AES-256-SHA
- Phase 1: Group 5
- Phase 2: Group 2

Site B (I don't have access to it):

- Peer ip address: 201.201.201.201 (Site A Firewall)
- Local network host: 202.202.202.265
- Remote network host: 201.201.201.202 (Site A host)
- ESP-AES-256-SHA
- Phase 1: Group 5
- Phase 2: Group 2

When trying to startup the VPN using `packet-tracer` I get the following error:

packet-tracer input inside tcp 192.168.2.5 80 202.202.202.265 80 detailed

IP = 202.202.202.202, IKE Initiator: New Phase 1, Intf inside, IKE Peer 202.202.202.202 local Proxy Address 192.168.2.5, remote Proxy Address 202.202.202.265, Crypto map (outside_map0)
IP = 202.202.202.202, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
IP = 202.202.202.202, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324

Phase: 9 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadfd4e00, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae159608, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Result: 
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

I believe that is happening because I am using internal IP (`192.168.2.5`) on the ACL? And SITE-B has an external ip (`201.201.201.202`) on their local-network instead of my local (`192.168.2.5`) one?

How can I fix this on my end?

UPDATE: I have setup the VPN either via CLI and ASDM, and I get the same result.

I think the cause is pretty much because of this:

Phase: 9 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadfd4e00, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae159608, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

the source ip is 192.168.2.5, and on site-b the remote network has not that ip address, but the public one 201.201.201.202. I need somehow to force 192.168.2.5 to be 201.201.201.202 when connecting to the VPN?

The people on site-b are not keen to change their remote-network to my internal Ip address.

Duplicated: https://supportforums.cisco.com/t5/vpn/s2s-vpn-asa5510-acl-drop/td-p/3336354

UPDATE:

show access-list outside_cryptomap_4

 

access-list outside_cryptomap_4 line 1 extended permit ip host 192.168.2.5 host 202.202.202.265

18 (inside) to (outside) source static 192.168.2.5 201.201.201.202
translate_hits = 0, untranslate_hits = 12

14 (inside) to (outside) source static 192.168.2.5 192.168.2.5 destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp route-lookup
translate_hits = 3, untranslate_hits = 3

UPDATE:

BEFORE:

Phase: 9 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadfd4e00, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae159608, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

NOW:

src ip/id=201.201.201.202, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0

... As you can see above, I am not able to get the source IP as my public one.. assuming that is what I need.

However, still getting

Drop-reason: (acl-drop) Flow is denied by configured rule

show nat

14 (inside) to (outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 tranlate_hits =3, untranslate_hits = 3

 

packet-tracer input inside icmp 192.168.2.5 0 0 202.202.202.265 detailed

Phase: 5 
Type: NAT 
Subtype: 
Result: ALLOW 
Config: 
nat (inside,outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 202.202.202.265
Additional Information:
Static translate 192.168.2.5/0 to 201.201.201.202/0
 Forward Flow based lookup yields rule:
 in id=0xacbbd048, priority=6, domain=nat, deny=false
 hits=17, user_data=0xad9cc810, cs_id=0x0, flags=0x0, protocol=0
 src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
 dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
 input_ifc=inside, output_ifc=outside

Phase: 10 
Type: VPN 
Subtype: ipsec-tunnel-flow
Result: ALLOW 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadfd1e38, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=2763, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11 
Type: VPN 
Subtype: encrypt
Result: DROP 
Config: 
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaced3b88, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae04fa28, reverse, flags=0x0, protocol=0
src ip/id=201.201.201.202, mask=255.255.255.255, port=0, tag=0
dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Result: 
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

Flavio Miranda · ‎02-23-2018

Hi

This is a lot of information.

You don't need NAT first off.

The idea of VPN is connect two remote network as if they were on the same site.

When the packet from inside A site leave s out firewall interface, the packet is encapsulated and tunneled through the internet all the way down to the next firewall. Then, the packet is decapsulated and delivery on the inside interface of site B. All the complexity of Internet is left behind by tunneling the traffic.

It is possible you from site A to ping the inside network of site B just fine.

You just need to make sure the vpn was created correctly. For now, share the whole output of:

Show crypto isamak sa

Show crypto ipsec sa

If possible also share the firewall show running-config.

-If I helped you somehow, please, rate it as useful.-

mthomaz · ‎02-23-2018

Thanks Flavio. However, the VPN is NOT up; so I can't ping the inside network of Site B.

* The reason I am using NAT, is because the host 192.168.2.5 must go out to the internet with the ip 201.201.201.202.

Show crypto isamak sa (Did you mean isakmp?)

ASA5510# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: REMOVED_FOR_SECURITY_REASONS
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 
2   IKE Peer: REMOVED_FOR_SECURITY_REASONS
    Type    : user            Role    : responder 
    Rekey   : no              State   : AM_ACTIVE

Show crypto ipsec sa (This command returns a lot of private information, instead, I ran show crypto ikev1 sa

ASA5510# show crypto ikev1 sa

IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: REMOVED_FOR_SECURITY_REASONS
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 
2   IKE Peer: REMOVED_FOR_SECURITY_REASONS
    Type    : user            Role    : responder 
    Rekey   : no              State   : AM_ACTIVE

If possible also share the firewall show running-config. For security reasons I can only show you some specific Firewall Rules, just ask for whatever you need:

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 201.201.201.201 255.255.255.248

interface Ethernet0/3.99
 vlan 99      
 nameif inside
 security-level 100
 ip address 192.168.9.254 255.255.255.0

access-list outside_cryptomap_4 extended permit object-group DM_INLINE_PROTOCOL_1 host 201.201.201.202 object 202.202.202.265 
access-list outside_cryptomap_4 extended permit object-group DM_INLINE_PROTOCOL_2 object 201.201.201.202 object 202.202.202.266

nat (inside,any) source static inside-network inside-network destination static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9
nat (inside,outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 202.202.202.265
nat (any,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside
access-group VIRS_access_in in interface VIRS
access-group dmz_access_in in interface dmz
access-group admin_access_in in interface admin
access-group inside_access_in in interface inside

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TUNNEL esp-aes-256 esp-sha-hmac

crypto map ouside_map_vpn_test 1 match address outside_cryptomap_4
crypto map ouside_map_vpn_test 1 set pfs 
crypto map ouside_map_vpn_test 1 set peer 202.202.202.201
crypto map ouside_map_vpn_test 1 set ikev1 transform-set ESP-AES-256-SHA-TUNNEL
crypto map ouside_map_vpn_test 65535 ipsec-isakmp dynamic outside_dyn_map2
crypto map ouside_map_vpn_test interface outside
crypto ca trustpool policy

Flavio Miranda · ‎02-23-2018

The way I see it if you are using NAT then you don't need VPN and vice-versa. Not saying they are the same thing but, as I said, VPN is helpful to abstract the complexity of the NAT and routing.

You cant encrypt the firewall IP address. Your traffic of interest must be some network behind firewall.

You are permitting the valid IP address on your crypto map. I didn't see you permitting the 192 IP however. The packet won't be encrypted.

-If I helped you somehow, please, rate it as useful.-

mthomaz · ‎02-23-2018

VPN is meant to be a secure tunnel. That is all. If you want to do NAT, you can do it, but you won't have a secure tunnel behind it.

When I configure the vpn with my local network being my internal ip 192.168.2.5, I get the same error (acl-drop).

Site B notes (Sent by them to me):

Phase 1:

Encryption: aes-256-cbc

Authentication: sha256

DH Group: Group5

Lifetime: 24h

ikev1

ACL: Local network 201.201.201.202

ACL: Remote network 202.202.202.265

ACL: protocol any

Phase 2:

ESP/AH: ESP

Encryption: aes-256-cbc

Authentication: sha256

DH group: group2

Lifetime: 28800 seconds

ikev1

ACL: Local network 202.202.202.265

ACL: Remote network 201.201.201.202

ACL: protocol any

We both can ping site-A > Site-B firewalls.

Flavio Miranda · ‎02-23-2018

ACL: Local network 202.202.202.265

ACL: Remote network 201.201.201.202

I think you local network should 192.x.x.x and the remote network should be the network you want to access on the remote site.

-If I helped you somehow, please, rate it as useful.-

mthomaz · ‎02-23-2018

As mentioned before, I have already tried that:

- Some notes:

202.202.202.265 = Site-B host that I need to access

192.168.2.5 = The internap IP of Site-A host that Site-B needs to access

201.201.201.202 = Public IP for 192.168.2.5

Phase: 9      
Type: VPN     
Subtype: encrypt
Result: DROP  
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xae394b00, priority=70, domain=encrypt, deny=false
        hits=1, user_data=0x0, cs_id=0xae04fa28, reverse, flags=0x0, protocol=0
        src ip/id=192.168.2.5, mask=255.255.255.255, port=0, tag=0
        dst ip/id=202.202.202.265, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule

show nat:
15 (inside) to (outside) source static 192.168.2.5 192.168.2.5 destination static 202.202.202.265 202.202.202.265
    translate_hits = 1, untranslate_hits = 1

 ASA5510# show access-list outside_cryptomap_4
 access-list outside_cryptomap_4; 3 elements; name hash: 0x2ebb504c
 access-list outside_cryptomap_4 line 1 extended permit ip host 192.168.2.5 host 202.202.202.265 (hitcnt=3) 0x6ec24521 
 access-list outside_cryptomap_4 line 1 extended permit icmp host 192.168.2.5 host 202.202.202.265 (hitcnt=0) 0x6f9d08b3 
 access-list outside_cryptomap_4 line 1 extended permit tcp host 192.168.2.5 host 202.202.202.265 (hitcnt=0) 0xa29397f9

mthomaz · ‎02-25-2018

Just providing a more complete "show running configuration":

ASA5510# show running-config 

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 201.201.201.201 255.255.255.248

             
interface Ethernet0/3.99
 vlan 99      
 nameif inside
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
        
object network 201.201.201.202
 host 201.201.201.202
object network 192.168.2.5
 host 192.168.2.5

object-group network DM_INLINE_NETWORK_16
 network-object object 202.202.202.265
 network-object object 202.202.202.266

access-list outside_cryptomap_4 extended permit ip host 201.201.201.202 object-group DM_INLINE_NETWORK_16 

nat (inside,outside) source static 192.168.2.5 201.201.201.202 destination static 202.202.202.265 202.202.202.265


access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group admin_access_in in interface admin
access-group inside_access_in in interface inside

crypto ipsec ikev1 transform-set ESP-AES-SHA-256 esp-aes-256 esp-sha-hmac 

crypto map outside_map_s2s_vpn 1 match address outside_cryptomap_4
crypto map outside_map_s2s_vpn 1 set pfs 
crypto map outside_map_s2s_vpn 1 set peer 202.202.202.201 
crypto map outside_map_s2s_vpn 1 set ikev1 transform-set ESP-AES-SHA-256
crypto map outside_map_s2s_vpn 65535 ipsec-isakmp dynamic outside_dyn_map2
crypto map outside_map_s2s_vpn interface outside

crypto ikev1 enable outside (This one is being used by another S2S VPN)
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha     
 group 2      
 lifetime 86400

crypto ikev1 policy 2
 authentication pre-share
 encryption aes-256
 hash sha     
 group 5      
 lifetime 86400

group-policy GroupPolicy_202.202.202.201 internal
group-policy GroupPolicy_202.202.202.201 attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 

tunnel-group 202.202.202.201 type ipsec-l2l
tunnel-group 202.202.202.201 general-attributes
 default-group-policy GroupPolicy_202.202.202.201
tunnel-group 202.202.202.201 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****