Problem with VPN traffic

asonea · ‎06-13-2024

Hello,

I have configurated a site to site VPN and it is working ok. I can receive and send data. The VPN main configuration is the following:

- Remote Addres: X.X.0.0/15

- Local Range: Firewall Inside IP (172.16.0.1) and the range 172.16.2.2-172.16.2.255. We have been asked to NAT this IPs to the range 100.104.0.0/24. This NAT needs one to one address translation. For this I have created one NAT from 172.16.0.1 to 100.104.0.1 and other one from the range 172.16.2.2-255 to 100.104.0.2-255.

I have checked the VPN and everithing seems to be OK.

I need to send data from the firewall on the VPN. When I use packet tracer to check if everything is correct from 172.16.0.1 the traffic is denied by an Implicit Rule. But if I use one IP from the range 172.16.2.2-255 the traffic can leave the firewall and go through the VPN. I have an access rule created which allows all the trafic from inside to leave the firewall and another one created also to permit traffic from 172.16.0.1 to X.X.0.0/15.

I don't understand why I have this problem just with the firewall IP.

Could anyone help me please?

Thank you in advance.

Rob Ingram · ‎06-13-2024

@asonea that is correct, packet-tracer simulates traffic through the firewall, not from one of the firewalls own interface. So you would always simulate a flow through the firewall, not from/to.

MHM Cisco World · ‎06-13-2024

ASA and FTD deny any traffic from one interface to other

In your VPN S2S the traffic is reach to Outside and destiantion is Inside and here the traffic is deny.

So we always use to test vpn s2s any IP other than IP of any FW interface.

This not for only vpn it also for any traffic' for example if ypu want to ping interface In from any PC connect to Out the FW will drop traffic

MHM

asonea · ‎06-14-2024

Thank you for your answer.

So now I understand that I can only test the VPN via packet tracer using and IP different than the IP of the interface. But I need to send data from the firewall to the VPN. How can I check that this is working?

Thank you.

Regards,

MHM Cisco World · ‎06-15-2024

So now I understand that I can only test the VPN via packet tracer using and IP different than the IP of the interface. Correct
But I need to send data from the firewall to the VPN. How can I check that this is working? What is data we talk about, is it AAA traffic or SNMP/log ?

MHM

asonea · ‎06-19-2024

Sorry for the delay.

The data is SNMP, log and AAA.

Regards,

MHM Cisco World · ‎06-19-2024

start with SNMP server do the below two steps
1- use interface IN as the interface in command use to connect to SNMP server
2- config IN interface and management-access interface

NOTE:- I assume the ACL of VPN S2S use IN subnet in ACL

MHM

Rob Ingram · ‎06-19-2024

@asonea to specify the interface from which to source the syslog traffic sent over the tunnel, enter the management-access <inside interface nameif> command. https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116171-qanda-asa-00.html

For SNMP, from ASA version 9.14 and higher you need to include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration, as traffic will be sourced via the egress interface. https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/release/notes/asarn914.html#reference_xqs_mvp_xhb

asonea · ‎06-20-2024

@MHM Cisco World @Rob Ingram

Thank you for your answers.

The ASA version that the firewall has is 9.8 so I assume that i do not need to include the outside interface on the ACL.

I have configured the SNMP and the Syslog with the following configuration:

SNMP Host: host ip = X.X.X.X, interface = inside community ***** version 2c udp-port 161

Syslog Server:

sh run logging
logging enable
logging trap informational
logging asdm informational
logging host inside Y.Y.Y.Y

The current management interface is:

sh run management-access
management-access inside

I have used the packet capture with ASDM and I saw that I have SNMP and syslog traffic, I post here one example:

This traffic does not go trough the VPN tunnel. I think it is the NAT that is not working well because the peer is sending SNMP traffic and it does not arrive to my firewall and I send traffic and it does not use the VPN.

The NAT that i have created are:

19 (inside) to (outside) source static firewall 10.104.0.1 destination static remote_network_internal remote_network_internal net-to-net no-proxy-arp
translate_hits = 0, untranslate_hits = 0
20 (inside) to (outside) source static int_range 10.104.0.2-255 destination static remote_network_internal remote_network_internal net-to-net no-proxy-arp

translate_hits = 0, untranslate_hits = 0

On the cryptomaps the source is 10.104.0.0/24 and the destination is remote_network_internal.

The ACL is:

access-list outside_cryptomap line 1 extended permit ip object 20.104.0.0/24 object remote_network_internal(hitcnt=8) 0x3119a0fa

Do you see any problem with the NAT? Or is it something else?

Thank you.

MHM Cisco World · ‎06-20-2024

the SNMP server IP include the remote network ?

MHM

asonea · ‎06-20-2024

Yes, the SNMP server IP is in the range of the remote network.

Regards,

MHM Cisco World · ‎06-20-2024

ok

packet-tracer input <inside> snmp <inside IP><12345> <SNMP server IP><port 161 or 162> [detailed]

run this and share result

MHM

asonea · ‎06-20-2024

I do not have the possibility to use SNMP on the packet-tracer, when I put SNMP it says "Invalid input". I can only try with ICMP, RAWIP, SCTP, TCP, UDP, VLAN-ID. So I tried UDP.

When I used with the firewall (you told me before it does not work with these):

packet-tracer input inside UDP 172.16.0.1 161 10.224.8.5 161

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static firewall red_nat destination static sonnedix_interna sonnedix_interna net-to-net no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.224.8.5/161 to 10.224.8.5/161

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

If I user another IP from my network the package is permited:

packet-tracer input inside UDP 172.16.2.28 161 10.224.8.5 161

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static red_interna red_nat destination static sonnedix_interna sonnedix_interna net-to-net no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.224.8.5/161 to 10.224.8.5/161

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static red_interna red_nat destination static sonnedix_interna sonnedix_interna net-to-net no-proxy-arp
Additional Information:
Static translate 172.16.2.28/161 to 100.104.0.28/161

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static red_interna red_nat destination static sonnedix_interna sonnedix_interna net-to-net no-proxy-arp
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 107263, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

MHM Cisco World · ‎06-24-2024

Sorry I make you waiting

Capture OUT interface outside trace include-decrypted match ip host <> host <>

Use above to see if ASA see any packet from snmp server

MHM

asonea · ‎06-25-2024

Hello, thank you for your answer.

I have written in the CLI the following:

capture OUT interface outside trace detail (I cannot put include-decrypted) match ip host "remoteSNMP" host 172.16.0.1 (firewall).

I can see some traffic but it is always from the firewall to the SNMP (when I see the VPN statistics this traffic does not appear):

12 packets captured

1: 10:21:43.189428 172.16.0.1.162 > RemoteSNMP.161: udp 270
2: 10:22:43.189428 172.16.0.1.162 > RemoteSNMP.161: udp 270
3: 10:23:43.189428 172.16.0.1.162 > RemoteSNMP.161: udp 270
4: 10:24:43.189443 172.16.0.1.162 > RemoteSNMP.161: udp 270
5: 10:25:43.189458 172.16.0.1.162 > RemoteSNMP.161: udp 270
6: 10:26:00.560365 172.16.0.1.162 > RemoteSNMP.161: udp 107
7: 10:26:00.615141 172.16.0.1.162 > RemoteSNMP.161: udp 155
8: 10:26:01.717919 172.16.0.1.162 > RemoteSNMP.161: udp 156
9: 10:26:01.721627 172.16.0.1.162 > RemoteSNMP.161: udp 131
10: 10:26:43.189733 172.16.0.1.162 > RemoteSNMP.161: udp 270
11: 10:27:43.189428 172.16.0.1.162 > RemoteSNMP.161: udp 270
12: 10:28:43.189443 172.16.0.1.162 > RemoteSNMP.161: udp 270