05-12-2011 10:47 AM
Hello, please can some one take a look at this weird problem, it might be staring me in the face
I've set up a site to site VPN tunnel, both sides have 192.168.1.0 networks so we need to NAT before using the tunnel
I've configured a text book script but its dropping traffic that has been allowed?
I'm hiding behind 192.168.124.0 and they are hiding a host server behind 192.168.123.24
(allows outbound traffic from dmz interface)
access-list dmz extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0 log
access-group dmz in interface dmz
(defines which IP addresses get natted)
access-list policyNAT extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0
(if 192.168.1.x goes to 192.168.123.x - then change source IP to 192.168.124.x)
static (dmz,outside) 192.168.124.0 access-list policyNAT
(standard transform set stuff)
crypto ipsec transform-set trans esp-3des esp-sha-hmac
(define which traffic to tunnel, my side NAT to their end)
access-list TUNNEL extended permit ip 192.168.124.0 255.255.255.0 host 192.168.123.24 log
crypto map outside_map 40 match address TUNNEL
crypto map outside_map 40 set peer X.X.X.X
crypto map outside_map 40 set transform-set trans
crypto map outside_map interface outside
crypto isakmp enable outside
(standard stuff)
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
(standard stuff)
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
now look at this please, when using the packet tracer on the ASA, everything is fine until it gets to the VPN encryption ACL, then it drops the traffic???!!!
ISAASA01# packet-tracer input dmz icmp 192.168.1.55 1 8 192.168.123.24 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0 log
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc545798, priority=12, domain=permit, deny=false
hits=22478, user_data=0xcc061890, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=192.168.123.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8990f88, priority=0, domain=permit-ip-option, deny=true
hits=29153180, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc898fdf0, priority=66, domain=inspect-icmp-error, deny=false
hits=2564961, user_data=0xc8a3bba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbcdaaf8, priority=12, domain=debug-icmp-trace, deny=false
hits=2503388, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,outside) 192.168.124.0 access-list creativeNAT
match ip dmz 192.168.1.0 255.255.255.0 outside 192.168.123.0 255.255.255.0
static translation to 192.168.124.0
translate_hits = 22486, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.0/0 to 192.168.124.0/0 using netmask 255.255.255.0
Forward Flow based lookup yields rule:
in id=0xc8aeb168, priority=5, domain=nat, deny=false
hits=22485, user_data=0xcc5a80a0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=192.168.123.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) 192.168.124.0 access-list creativeNAT
match ip dmz 192.168.1.0 255.255.255.0 outside 192.168.123.0 255.255.255.0
static translation to 192.168.124.0
translate_hits = 22486, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc433460, priority=5, domain=host, deny=false
hits=164015, user_data=0xcc5a80a0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc8f621a8, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xcbe41290, reverse, flags=0x0, protocol=0
src ip=192.168.124.0, mask=255.255.255.0, port=0
dst ip=192.168.123.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ISAASA01#
for real..
show crypto isakmp sa
3 IKE Peer: X.X.X.X
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
I
I did try the nat exempt (nonat) access list but it over rides the policy NAT and stopped it translating so I took it off
ICMP echo request translating dmz:192.168.1.55 to outside:192.168.124.55
ICMP echo request from dmz:192.168.1.55 to outside:192.168.123.24 ID=768 seq=6495 len=32
Any help greatly appreciated - I've mocked it up on a spare ASA and I'm still getting this problem
Cheers hopefully, Tony
05-12-2011 02:27 PM
Based on "show crypto isakmp sa", the tunnel did not come up at all.
It was waiting for the 2nd ike message. So, it's most likely that you sent the first IKE packet to the peer to initiate the vpn tunnel but the peer did not response to it. You might need to check the remote end.
Since there is not valid SA (tunnel is not up), the packet has to be dropped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide