11-28-2022 09:53 PM
I am trying to setup a L2L IPSec VPN between a Cisco ASA and an PfSense software firewall. The VPN tunnel comes up but the issue is that something in my ASA will not let the local traffic go through the tunnel.
When I ping from the PfSense side, I see the traffic is going through the tunnel and hits the ASA, but the ASA is unable to respond.
This is how I configured my ASA (relevant portions)
crypto ipsec ikev1 transform-set TFS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set DALLAS esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYNMAP 1 set ikev1 transform-set TFS
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
crypto map CMAP 3 match address DALLAS
crypto map CMAP 3 set peer 123.123.123.123
crypto map CMAP 3 set ikev1 transform-set DALLAS
crypto map CMAP interface WAN
crypto ca trustpool policy
crypto ikev1 enable WAN
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime none
crypto ikev1 policy 2
authentication pre-share
encryption aes
hash sha
group 14
lifetime none
crypto ikev1 policy 3
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime none
---
---
access-list SPLITTUNNEL standard permit 192.168.0.0 255.255.255.0
access-list DALLAS extended permit ip object LAN object DALLAS_IP
access-list DALLAS extended permit ip object DALLAS_IP object LAN
---
---
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
ikev1 pre-shared-key *****
---
---
nat (GI5,WAN) source static LAN LAN destination static VPN VPN no-proxy-arp route-lookup
nat (GI4,WAN) source static LAN LAN destination static VPN VPN no-proxy-arp route-lookup
nat (GI6,WAN) source dynamic LAN interface
nat (GI2,WAN) source dynamic LAN interface
nat (GI3,WAN) source dynamic LAN interface
nat (GI4,WAN) source dynamic LAN interface
nat (GI7,WAN) source dynamic LAN interface
nat (GI8,WAN) source dynamic LAN interface
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
!
object network GI5
nat (GI5,WAN) dynamic interface
1. Adding static route route WAN 192.168.100.0 255.255.255.0 123.123.123.123
2. Added different NAT rules to nat the LAN to the DALLAS_IP remote subnet.
Now this is what I get when I try running a packet trace.
ASA(config)# packet-tracer input GI5 icmp 192.168.0.25 1 1 192.168.100.99
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.100.99/0 to 192.168.100.99/0
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: GI5
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556b4d48c9f5 flow (NA)/NA
Now with an error like that claiming it is an ACL denying traffic is confusing when the PfSense firewall has the correct ACL's configured as well as the ASA. I'm basically mentally defeated at this point by a black metal box and have no idea what could possibly be the issue... Any ideas?
11-29-2022 03:17 AM
you need to change packet-tracer to be
packet-tracer input GI5 icmp 192.168.0.25 8 0 192.168.100.99 detial
share output here
11-29-2022 04:42 AM
This is what I'm getting.
ASA(config)# packet-tracer input GI5 icmp 192.168.0.25 8 0 192.168.10$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e265f1c60, priority=1, domain=permit, deny=false
hits=478727, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=GI5, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.100.99/0 to 192.168.100.99/0
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
Forward Flow based lookup yields rule:
in id=0x7f1e279f2700, priority=6, domain=nat, deny=false
hits=68, user_data=0x7f1e277a8e90, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=WAN
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
hits=131048, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e26604200, priority=0, domain=inspect-ip-options, deny=true
hits=56457, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GI5, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
Forward Flow based lookup yields rule:
in id=0x7f1e279f2700, priority=6, domain=nat, deny=false
hits=69, user_data=0x7f1e277a8e90, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=WAN
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
hits=131049, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e2682daf0, priority=0, domain=inspect-ip-options, deny=true
hits=31822, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=LAN, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e27884e20, priority=70, domain=inspect-icmp, deny=false
hits=198, user_data=0x7f1e27879e70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=LAN, output_ifc=any
Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e2682d300, priority=66, domain=inspect-icmp-error, deny=false
hits=218, user_data=0x7f1e2682cb90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=LAN, output_ifc=any
Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f1e278beb40, priority=70, domain=encrypt, deny=false
hits=245, user_data=0x0, cs_id=0x7f1e26857d10, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=WAN
Result:
input-interface: GI5
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556b4d48c9f5 flow (NA)/NA
11-29-2022 04:56 AM
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
crypto map CMAP 3 match address DALLAS
crypto map CMAP 3 set peer 123.123.123.123
crypto map CMAP 3 set ikev1 transform-set DALLAS
why there are two CMAP seq 1 & 3 ?
11-29-2022 05:09 AM
CMAP 1 is for the remote access VPN clients.
11-30-2022 03:21 AM
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f1e278beb40, priority=70, domain=encrypt, deny=false
hits=245, user_data=0x0, cs_id=0x7f1e26857d10, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=WAN
user_data=0x0
this meaning that there is no IPSec SA active
can you show
show vpn-sessiondb l2l detail
11-30-2022 04:11 PM
Looks like it's active to me.
ASA# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 123.123.123.123
Index : 41 IP Addr : 123.123.123.123
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 512607
Login Time : 23:00:37 CST Tue Nov 29 2022
Duration : 20h:05m:30s
12-01-2022 07:24 AM - edited 12-01-2022 08:08 AM
ASA# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 123.123.123.123
Index : 41 IP Addr : 123.123.123.123
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 512607
Login Time : 23:00:37 CST Tue Nov 29 2022
Duration : 20h:05m:30s
Bytes Tx :0 <<<-- this what I looking for the tunnel not forward traffic toward the tunnel.
we check the UN-NAT and it work
other is traffic not hit the ACL of IPsec L2L
can you show access-list
check if there is hit or not ?
note:- also double check the route toward remote Peer
12-02-2022 05:34 AM
This is what show access-list outputs.
ASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 4 elements; name hash: 0xe01d8199
access-list OUTSIDE_IN line 1 extended permit tcp any object FORWARD_HTTP eq www (hitcnt=0) 0xdca8b5be
access-list OUTSIDE_IN line 1 extended permit tcp any host 192.168.0.25 eq www (hitcnt=0) 0xdca8b5be
access-list OUTSIDE_IN line 2 extended permit tcp any object FORWARD_HTTPS eq https (hitcnt=6) 0x358fc38e
access-list OUTSIDE_IN line 2 extended permit tcp any host 192.168.0.25 eq https (hitcnt=6) 0x358fc38e
access-list OUTSIDE_IN line 3 extended permit tcp any object FORWARD_PLEX eq 32400 (hitcnt=0) 0x02dbbe97
access-list OUTSIDE_IN line 3 extended permit tcp any host 192.168.0.25 eq 32400 (hitcnt=0) 0x02dbbe97
access-list OUTSIDE_IN line 4 extended permit tcp object-group ALLOWED_SSH_HOSTS object FORWARD_SSH eq ssh (hitcnt=0) 0x50240153
access-list OUTSIDE_IN line 4 extended permit tcp host 111.111.111.111 host 192.168.0.25 eq ssh (hitcnt=0) 0x1a38431d
access-list SPLITTUNNEL; 1 elements; name hash: 0xbd0c67f8
access-list SPLITTUNNEL line 1 standard permit 192.168.0.0 255.255.255.0 (hitcnt=0) 0x2d433d36
access-list DALLAS; 2 elements; name hash: 0x676a0fd4
access-list DALLAS line 1 extended permit ip object LAN object DALLAS_IP (hitcnt=11436) 0xbc190b6c
access-list DALLAS line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=11436) 0xbc190b6c
access-list DALLAS line 2 extended permit ip object DALLAS_IP object LAN (hitcnt=0) 0x1c3a78c2
access-list DALLAS line 2 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0x1c3a78c2
Currently I do not have a route, it did not work the last time I did it but I can try adding it again. Perhaps I added it the wrong way.
Previously I was adding the route like this: route WAN 192.168.100.0 255.255.255.0 123.123.123.123
When I try to add "tunneled" at the end, i get this error "ERROR: tunneled option cannot be specified for non-default routes".
12-02-2022 05:53 AM
you use
crypto map CMAP 3 match address DALLAS
access-list DALLAS line 1 extended permit ip object LAN object DALLAS_IP (hitcnt=11436) 0xbc190b6c access-list DALLAS line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=11436) 0xbc190b6c access-list DALLAS line 2 extended permit ip object DALLAS_IP object LAN (hitcnt=0) 0x1c3a78c2 access-list DALLAS line 2 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0x1c3a78c2
and I see two line for DALLAS ???
that what make issue here
you need only one line the ACL is biditional it check the traffic two way so you need only one.
the acl must be
access-list DALLAS extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
that it no need second line.
12-02-2022 05:54 AM
for route keep as it was before there is not issue with route there is issue with ACL as I mention below
12-02-2022 06:29 AM
Alrighty, so I removed the inverse ACL I had previously so the DALLAS ACL looks like this now:
access-list DALLAS extended permit ip object LAN object DALLAS_IP
I re-added the route I mentioned - route WAN 192.168.100.0 255.255.255.0 123.123.123.123
Restarted the tunnel and I still see the same with show vpn-sessiondb l2l.
ASA(config)# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 123.123.123.123
Index : 109 IP Addr : 123.123.123.123
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 22932
Login Time : 09:14:25 CST Fri Dec 2 2022
Duration : 0h:04m:39s
I have a ping running on both ends of the tunnel.
Now show access-list only shows one DALLAS.
access-list DALLAS; 1 elements; name hash: 0x676a0fd4
access-list DALLAS line 1 extended permit ip object LAN object DALLAS_IP (hitcnt=17658) 0xbc190b6c
access-list DALLAS line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=17658) 0xbc190b6c
And running packet tracer shows this:
ASA(config)# packet-tracer input GI5 icmp 192.168.0.25 8 0 192.168.100.99 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e265f1c60, priority=1, domain=permit, deny=false
hits=7168014, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=GI5, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.100.99/0 to 192.168.100.99/0
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
Forward Flow based lookup yields rule:
in id=0x7f1e26874db0, priority=6, domain=nat, deny=false
hits=898, user_data=0x7f1e26863260, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=WAN
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
hits=1530065, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e26604200, priority=0, domain=inspect-ip-options, deny=true
hits=593317, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GI5, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
Forward Flow based lookup yields rule:
in id=0x7f1e26874db0, priority=6, domain=nat, deny=false
hits=899, user_data=0x7f1e26863260, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=WAN
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
hits=1530066, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f1e2682daf0, priority=0, domain=inspect-ip-options, deny=true
hits=244400, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=LAN, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
R