07-07-2014 07:00 PM
Hello, All, I'm trying to do this VPN, before the Version 8.3, I was doing, but in this version, I can't to do the VPNs Works.
I have the action drop by Rule, but I can't find, What is the Rule...?
ms-5510#
ms-5510#
ms-5510# packet-tracer input Internet tcp 172.18.2.5 1025 172.18.2.2 80 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.18.2.0 255.255.255.240 ADMIN1
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Internet_access_in in interface Internet
access-list Internet_access_in extended permit ip object POOL-VPN-ADMIN any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae39a668, priority=13, domain=permit, deny=false
hits=1, user_data=0xaaffef40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2b5ef8, priority=0, domain=nat-per-session, deny=false
hits=57160, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad949ba8, priority=0, domain=inspect-ip-options, deny=true
hits=23784, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad86f188, priority=89, domain=punt, deny=true
hits=7, user_data=0xad196658, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Phase: 6
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae7cf468, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=7, user_data=0x22000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.18.2.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: ADMIN1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ms-5510#
ms-5510# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(6)
Compiled on Thu 27-Mar-14 09:36 by builders
System image file is "disk0:/asa915-k8.bin"
Config file at boot was "startup-config"
ms-5510 up 12 days 11 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 001d.459f.c23a, irq 9
1: Ext: Ethernet0/1 : address is 001d.459f.c23b, irq 9
2: Ext: Ethernet0/2 : address is 001d.459f.c23c, irq 9
3: Ext: Ethernet0/3 : address is 001d.459f.c23d, irq 9
4: Ext: Management0/0 : address is 001d.459f.c239, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 50 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1146L00U
Running Permanent Activation Key: 0x32055b60 0xcc2a5157 0x20e28d38 0x989430c4 0x841ca9bb
Configuration register is 0x1
Configuration last modified by otorres at 00:55:51.015 UTC Tue Jul 8 2014
ms-5510#
07-07-2014 08:29 PM
Hi ,
I see that the vpn pool (172.18.2.5-172.18.2.6) is overlapping with the subnet (172.18.2.0) that you need to access through the vpn tunnel. Please try using different pool or make sure proxy arp is enabled.
I am assuming there is no natting done on the device .Kindly share the output of "show run all sysopt" and "show run all | in nat-control"
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-07-2014 09:23 PM
My first choice two days ago, was with different subnet, but it does not work, and I change to the same subnet, I think maybe it help me.
I attach the test, with different subnet, I have the same behavior.
ms-5510# show vpn-sessiondb full anyconnect
Session Type: AnyConnect ||
Session ID: 38 | EasyVPN: 0 | Username: ssluser | Group: FullSSL-GroupPolicy | Tunnel Group: FullSSL-ConnectionProfile | IP Addr: 172.18.2.17 | Public IP: 189.154.226.140 | Protocol: AnyConnect-Parent SSL-Tunnel DTLS-Tunnel | License: AnyConnect Premium | Session Subtype: Client only | Encryption: AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 | Login Time: 03:40:56 UTC Tue Jul 8 2014 | Duration: 0h:00m:16s | Inactivity: 0h:00m:00s | Bytes Tx: 11030 | Bytes Rx: 5878 | NAC Result: Unknown | Posture Token: | VLAN Mapping: N/A | VLAN: 0 ||
ms-5510#
ms-5510# packet-tracer input Internet tcp 172.18.2.17 1025 172.18.2.2 80 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.18.2.0 255.255.255.240 ADMIN1
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Internet_access_in in interface Internet
access-list Internet_access_in extended permit ip object POOL-VPN-ADMIN any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad760ed8, priority=13, domain=permit, deny=false
hits=1, user_data=0xaafff240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.2.17, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2b5ef8, priority=0, domain=nat-per-session, deny=false
hits=57898, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad949ba8, priority=0, domain=inspect-ip-options, deny=true
hits=24886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae726e98, priority=89, domain=punt, deny=true
hits=102, user_data=0xad196658, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.2.17, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Phase: 6
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae429570, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=102, user_data=0x26000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.18.2.17, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internet, output_ifc=any
Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: ADMIN1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ms-5510#
ms-5510# show run all | in nat-control
ms-5510# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp management
no sysopt noproxyarp Internet
no sysopt noproxyarp ADMIN1
no sysopt noproxyarp LABVOZ
ms-5510#
07-07-2014 09:39 PM
By different pool , I meant any ip other than in the range of 172.18.0.0/24 , 172.18.1.0/24 and 172.18.3.0/24
If this does not help , run a continuous ping to any host behind the firewall / initiate some traffic from the vpn client for a specific IP.
Apply capture as
"capture capin interface <interface_name(internal host reachable)> match ip host <client_pool_ip> host <internal_host_ip>" and "cap asp type asp-drop all"
Run show cap capin and show cap asp | in <client_pool_ip> and this should show if there are any packets getting dropped.
Regards,
Dinesh Moudgil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide