06-05-2020 02:55 PM
Hi!, I´ve been stuck on this for a coupe of days, so any advice would be appreciated.
I have a DNS and directory services servers on Amazon,which my clients should authenticate to, and they are reachable via IPSEC VPN (so far so good). When I try to join some PC to domain server on AWS, I get an error and could not authenticate at all. Doing a packet tracer I see this NAT ´rdf-check´ error, and then the packets are dropped, so that´s why I can not join my domain. The strange thing is that any other services (remote desktop, file sharing) are working correctly so at this point I don´t know where my NAT issue is.
This same domain/dns situation happens with internal LAN clients, and remote VPN (anyconnect) clients, they have to connect to the VPN in order to reach all AWS adressing (rfc 1918 and WAN IPs).
Thanks!
Here is my config (relevant stuff only... assume VPN connectivity, routing, and internet access is working OK.so far).
Version 9.8(4)10
!
hostname AZA
domain-name aws.domain
enable password k.87/DMUuEFZAPAa encrypted
names
no mac-address auto
ip local pool vpn-pool 10.1.1.170.1-10.1.1.170.100 mask 255.255.255.0
!
interface GigabitEthernet1/1
ip add W.A.N.2 255.255.255.0
nameif backup
security-level 0
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address W.A.N.1 255.255.255.0
!
!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
boot system disk0:/asa984-10-lfbff-k8.SPA
dns domain-lookup backup
dns domain-lookup outside
dns server-group DefaultDNS
name-server D.N.S.A.W.S
domain-name aws.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ANYCONNECT_SUBNET
subnet 10.1.1.170.0 255.255.255.0
object-group network AWS_VPC
network-object 172.31.0.0 255.255.0.0
network-object 10.1.1.171.0 255.255.255.0
object-group network LAN_SUBNETS
network-object 10.1.1.0 255.255.255.0
network-object 192.168.169.0 255.255.255.0
object-group network AWS_PUB-IP
network-object object DC-PUB-IP
access-list acl-amzn extended permit ip any4 172.31.0.0 255.255.0.0
access-list acl-amzn extended permit ip any4 10.1.1.171.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 192.168.169.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.1.170.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.1.171.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.1.171.0 255.255.255.0 192.168.169.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.1.171.0 255.255.255.0 10.1.1.170.0 255.255.255.0
access-list amzn-filter extended deny ip any any
access-list split_tunnel standard permit 172.31.0.0 255.255.0.0
access-list split_tunnel standard permit 10.1.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.169.0 255.255.255.0
access-list split_tunnel standard permit host 52.22.11.70
icmp permit any inside
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LAN_SUBNETS LAN_SUBNETS destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (inside,backup) source static LAN_SUBNETS LAN_SUBNETS destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (outside,outside) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (backup,backup) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (outside,inside) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static LAN_SUBNETS LAN_SUBNETS no-proxy-arp route-lookup
nat (backup,inside) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static LAN_SUBNETS LAN_SUBNETS no-proxy-arp route-lookup
nat (backup,backup) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
nat (backup,backup) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
nat (outside,outside) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
nat (outside,outside) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,backup) after-auto source dynamic any interface
access-group outside_access_in in interface backup
access-group outside_access_in in interface outside
threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20
threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy Anyconnect internal
group-policy Anyconnect attributes
dns-server value D.N.S.A.W.S
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value aws.domain
address-pools value vpn-pool
webvpn
anyconnect mtu 1300
anyconnect ssl df-bit-ignore enable
group-policy filter internal
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
06-05-2020 03:23 PM
share full network firewall configuration. you can hide the public ip addresses. also share the output of the packet tracer which is failing at rdp check. when you run the packet trace do not forget to put detail command at the end.
06-05-2020 03:59 PM
Ok here is the config:
Thanks!
hostname AZA
domain-name domain.name
names
no mac-address auto
ip local pool vpn-pool 10.1.170.1-10.1.170.100 mask 255.255.255.0
!
interface GigabitEthernet1/1
description BACKUP
nameif backup
security-level 0
ip address x.x.x.240 255.255.255.0
!
interface GigabitEthernet1/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description PRIMARY
nameif outside2
security-level 0
ip address x.x.x.120 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 10.1.168.254 255.255.255.0
!
boot system disk0:/asa984-10-lfbff-k8.SPA
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup backup
dns domain-lookup outside2
dns server-group DefaultDNS
name-server x.x.x.65
domain-name domain.name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPNANYCONNECT
subnet 10.1.170.0 255.255.255.0
object network A_PUBLIC
host x.x.x.212
object network C_PUBLIC
host x.x.x.70
object network F_PUBLIC
host x.x.x.185
object network E_PUBLIC
host x.x.x.16
object network P_PUBLIC
host x.x.x.93
object network Q_PUBLIC
host x.x.x.139
object-group network AWS_NETS
network-object 172.31.0.0 255.255.0.0
network-object 10.1.171.0 255.255.255.0
object-group network LAN_NETS
network-object 10.1.168.0 255.255.255.0
network-object 10.1.169.0 255.255.255.0
object-group network AWS_WAN_2
network-object object A_PUBLIC
network-object object C_PUBLIC
network-object object F_PUBLIC
object-group network AWS_WAN_1
network-object object E_PUBLIC
network-object object P_PUBLIC
network-object object Q_PUBLIC
access-list outside_access_in extended permit ip host y.y.y.150 host x.x.x.120
access-list outside_access_in extended permit ip host y.y.y.151 host x.x.x.120
access-list outside_access_in extended permit ip host y.y.y.152 host x.x.x.240
access-list outside_access_in extended permit ip host y.y.y.153 host x.x.x.240
access-list outside_access_in extended permit ip object-group AWS_WAN_2 host x.x.x.120
access-list outside_access_in extended permit ip object-group AWS_WAN_1 host x.x.x.120
access-list outside_access_in extended permit ip object-group AWS_WAN_2 host x.x.x.240
access-list outside_access_in extended permit ip object-group AWS_WAN_1 host x.x.x.240
access-list acl-amzn extended permit ip any4 172.31.0.0 255.255.0.0
access-list acl-amzn extended permit ip any4 10.1.171.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.168.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.169.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.170.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.171.0 255.255.255.0 10.1.168.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.171.0 255.255.255.0 10.1.169.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.171.0 255.255.255.0 10.1.170.0 255.255.255.0
access-list amzn-filter extended deny ip any any
access-list split_tunnel standard permit 172.31.0.0 255.255.0.0
access-list split_tunnel standard permit 10.1.168.0 255.255.255.0
access-list split_tunnel standard permit 10.1.169.0 255.255.255.0
access-list split_tunnel standard permit host x.x.x.212
access-list split_tunnel standard permit host x.x.x.70
access-list split_tunnel standard permit host x.x.x.185
access-list split_tunnel standard permit host x.x.x.16
access-list split_tunnel standard permit host x.x.x.93
access-list split_tunnel standard permit host x.x.x.139
pager lines 20
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging asdm informational
mtu backup 1492
mtu outside2 1492
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside2) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
nat (inside,backup) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
nat (outside2,outside2) source static VPNANYCONNECT VPNANYCONNECT destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
nat (backup,backup) source static VPNANYCONNECT VPNANYCONNECT destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
nat (outside2,inside) source static VPNANYCONNECT VPNANYCONNECT destination static LAN_NETS LAN_NETS no-proxy-arp route-lookup
nat (backup,inside) source static VPNANYCONNECT VPNANYCONNECT destination static LAN_NETS LAN_NETS no-proxy-arp route-lookup
nat (backup,backup) source static VPNANYCONNECT interface destination static AWS_WAN_1 AWS_WAN_1 no-proxy-arp
nat (backup,backup) source static VPNANYCONNECT interface destination static AWS_WAN_2 AWS_WAN_2 no-proxy-arp
nat (outside2,outside2) source static VPNANYCONNECT interface destination static AWS_WAN_2 AWS_WAN_2 no-proxy-arp
nat (outside2,outside2) source static VPNANYCONNECT interface destination static AWS_WAN_1 AWS_WAN_1 no-proxy-arp
!
nat (inside,outside2) after-auto source dynamic any interface
nat (inside,backup) after-auto source dynamic any interface
access-group outside_access_in in interface backup
access-group outside_access_in in interface outside2
route outside2 0.0.0.0 0.0.0.0 x.x.x.121 1 track 1
route backup 0.0.0.0 0.0.0.0 x.x.x.241 100
route backup 8.8.4.4 255.255.255.255 x.x.x.241 1
route outside2 8.8.8.8 255.255.255.255 x.x.x.121 1
route backup y.y.y.152 255.255.255.255 x.x.x.241 1
route outside2 y.y.y.150 255.255.255.255 x.x.x.121 1
route backup y.y.y.153 255.255.255.255 x.x.x.241 1
route outside2 y.y.y.151 255.255.255.255 x.x.x.121 1
route outside2 172.31.0.0 255.255.0.0 x.x.x.121 1
route backup 10.1.171.0 255.255.255.0 x.x.x.241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server AUTH1 protocol ldap
aaa-server AUTH1 (outside2) host x.x.x.70
server-port 389
aaa-server AUTH2 protocol ldap
aaa-server AUTH2 (backup) host x.x.x.70
server-port 389
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
no aaa authentication login-history
http server enable
http 10.1.170.0 255.255.255.0 inside
http 10.1.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1379
sysopt noproxyarp backup
sysopt noproxyarp outside2
sysopt noproxyarp inside
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside2
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 8.8.4.4 interface backup
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now
no service password-recovery
no service sw-reset-button
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec profile vpn-amzn
set ikev1 transform-set transform-amzn
set pfs group2
set security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df backup
crypto ipsec df-bit clear-df outside2
crypto map amzn_vpn_map1 1 match address acl-amzn
crypto map amzn_vpn_map1 1 set pfs
crypto map amzn_vpn_map1 1 set peer y.y.y.151 y.y.y.150
crypto map amzn_vpn_map1 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map1 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map1 interface outside2
crypto map amzn_vpn_map2 1 match address acl-amzn
crypto map amzn_vpn_map2 1 set pfs
crypto map amzn_vpn_map2 1 set peer y.y.y.152 y.y.y.153
crypto map amzn_vpn_map2 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map2 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map2 interface backup
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable backup
crypto ikev1 enable outside2
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
track 1 rtr 1 reachability
telnet timeout 5
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside
threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20
threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable backup
enable outside2
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy Anyconnect internal
group-policy Anyconnect attributes
dns-server value x.x.x.65
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value domain.name
address-pools value vpn-pool
webvpn
anyconnect mtu 1300
anyconnect ssl df-bit-ignore enable
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group corp_usr type remote-access
tunnel-group corp_usr general-attributes
authentication-server-group LDAP
default-group-policy Anyconnect
tunnel-group corp_usr webvpn-attributes
group-alias "CORP" enable
tunnel-group external_user type remote-access
tunnel-group external_user general-attributes
default-group-policy Anyconnect
tunnel-group external_user webvpn-attributes
group-alias "GUEST" enable
without-csd
tunnel-group y.y.y.151 type ipsec-l2l
tunnel-group y.y.y.151 general-attributes
default-group-policy filter
tunnel-group y.y.y.151 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group y.y.y.152 type ipsec-l2l
tunnel-group y.y.y.152 general-attributes
default-group-policy filter
tunnel-group y.y.y.152 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group y.y.y.153 type ipsec-l2l
tunnel-group y.y.y.153 general-attributes
default-group-policy filter
tunnel-group y.y.y.153 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group y.y.y.150 type ipsec-l2l
tunnel-group y.y.y.150 general-attributes
default-group-policy filter
tunnel-group y.y.y.150 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
##- Please type your reply above this line -##
06-06-2020 12:23 AM
can you test this rule.
access-list acl-amzn extended permit ip object-group LAN_NETS object-group network AWS_NETS ! no access-list acl-amzn extended permit ip any4 172.31.0.0 255.255.0.0 no access-list acl-amzn extended permit ip any4 10.1.171.0 255.255.255.0
06-07-2020 03:52 PM
Thanks Sheraz, I´ve changed the acl but still no luck... Here is the packet tracker flow of the traffic from dns server in amazonn to my pc connected via annyconnect (the same happens with LAN subnets).
# packet-tracer input outside2 udp 10.1.171.59 53 10.1.170.2 25000 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.120 using egress ifc outside2
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside2,outside2) source static VPNANYCONNECT VPNANYCONNECT destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside2
Untranslate 10.1.170.2/25000 to 10.1.170.2/25000
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc35ebc1010, priority=11, domain=permit, deny=true
hits=31, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any
Result:
input-interface: outside2
input-status: up
input-line-status: up
output-interface: outside2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-09-2020 12:13 AM
The access list I earlier mentioned is for the site-to-site vpn. looking into your packet tracer you doing/testing a anyconnect traffic packet tracer.
you are not able to connect from anyconnect too?
06-09-2020 09:10 AM
Yes, this issue is affecting internal subnets (10.1.168.0 and 10.1.169.0) and anyconnect subnet (10.1.170.0), even after your suggestion:
access-list acl-amzn extended permit ip object-group LAN_NETS object-group AWS_NETS
access-list acl-amzn extended permit ip object VPNANYCONNECT object-group AWS_NETS
This is the packet-tracer of aws -> lan
# packet-tracer input outside2 udp 10.1.171.59 53 10.1.168.20 20000 det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a34a5d40, priority=1, domain=permit, deny=false
hits=181173, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside2, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.168.20 using egress ifc inside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside2) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.1.168.20/20000 to 10.1.168.20/20000
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group test in interface outside2
access-list test extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a42ce7e0, priority=13, domain=permit, deny=false
hits=72, user_data=0x7fe797e84b00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside2) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.171.59/53 to 10.1.171.59/53
Forward Flow based lookup yields rule:
in id=0x7fe7a34a9cc0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fe7a355aa80, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.171.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.168.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=inside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a2683f90, priority=0, domain=nat-per-session, deny=true
hits=61107, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a34ae740, priority=0, domain=inspect-ip-options, deny=true
hits=25962, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a3f645f0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x0, cs_id=0x7fe7a3f5cce0, reverse, flags=0x0, protocol=0
src ip/id=10.1.171.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.168.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any
Result:
input-interface: outside2
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
*****
06-09-2020 10:01 AM
Thank you for the information your provided. could you please initiate this command twice. reason for this because in order to establish site-to-site vpn the arp entries need to build up. so first time packet tracer will fail. but if you again try after 2 second same command it will give you the output. if its failing again. we need to look on the other side configuration.
packet-tracer input outside2 udp 10.1.171.59 53 10.1.168.20 20000 det
i noted in your packet tracer
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
what is the configuration on the other side? let start one issue at one time.
06-09-2020 05:05 PM
Look what I found every time traffic drops:
Jun 09 2020 19:01:28: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xC964E76C, sequence number= 0x5B0) from x.x.x.x (user= x.x.x.x) to y.y.y.y. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as c845:e1dd:5955:35a1:358b:19a:134:ef8b, its source as d172:c59:ae48:ec03:1273:2d88:9a5c:5de, and its protocol as 255. The SA specifie 10.1.168.170.0/255.255.255.0/ip/0 and its remote_proxy as 10.1.168.171.0
I dont know why encryption domain in involving ipv6 addressing...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide