cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1579
Views
0
Helpful
6
Replies

Remote Access VPN connecting but not passing traffic

James Dykes
Level 1
Level 1

I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below.

 

3118-FWL001(config)# sho run
: Saved
:
ASA Version 7.2(3)
!
hostname 3118-FWL001
domain-name rr-rentals.com
enable password hEgvNHfNHV8zypPu encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 199.X.X.162 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec
banner exec
banner exec
banner exec Any attempted or unauthorized access, use, or modification is prohibited.
banner exec Unauthorized users may face criminal and/or civil penalties.
banner exec The use of this system may be monitored and recorded.
banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can
banner exec provide the records to law enforcement.
banner exec Be safe!  Do not share your access information with anyone!
banner exec
banner exec
banner exec
banner asdm
banner asdm
banner asdm
banner asdm Any attempted or unauthorized access, use, or modification is prohibited.
banner asdm Unauthorized users may face criminal and/or civil penalties.
banner asdm The use of this system may be monitored and recorded.
banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can
banner asdm provide the records to law enforcement.
banner asdm Be safe!  Do not share your access information with anyone!
banner asdm
banner asdm
banner asdm
ftp mode passive
dns server-group DefaultDNS
 domain-name rr-rentals.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_acl extended permit ip any host 199.X.X.163
access-list outside_acl extended permit icmp any any echo
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any
access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389
access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389
access-list outside_acl extended permit tcp any any eq ftp
access-list outside_acl extended permit tcp any any eq ftp-data
access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389
access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389
access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389
access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 199.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 216.X.X.64 255.255.255.192 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 50.X.X.58
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 75.X.X.253
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 173.X.X.69
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 70.X.X.194
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.10.2 255.255.255.255 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh 216.X.X.64 255.255.255.192 outside
ssh 50.X.X.58 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
tftp-server outside 216.X.X.116 3118-FWL001.config
group-policy rr-vpn internal
group-policy rr-vpn attributes
 dns-server value 216.X.X.12 66.X.X.11
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value rr-vpn_splitTunnelAcl
username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0
username rrlee attributes
 vpn-group-policy rr-vpn
username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0
username cschirado attributes
 vpn-group-policy rr-vpn
username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15
username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15
username troy password amZKsxVU.8N9kKPb encrypted privilege 0
username troy attributes
 vpn-group-policy rr-vpn
username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15
username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0
username druiz attributes
 vpn-group-policy rr-vpn
username theresa password qWsPnR.vfjXzlunC encrypted privilege 0
username theresa attributes
 vpn-group-policy rr-vpn
username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0
username kevin attributes
 vpn-group-policy rr-vpn
username andrea password MyhIPdH6UJQDon77 encrypted privilege 0
username andrea attributes
 vpn-group-policy rr-vpn
tunnel-group 50.X.X.58 type ipsec-l2l
tunnel-group 50.X.X.58 ipsec-attributes
 pre-shared-key *
tunnel-group 75.X.X.253 type ipsec-l2l
tunnel-group 75.X.X.253 ipsec-attributes
 pre-shared-key *
tunnel-group 72.X.X.71 type ipsec-l2l
tunnel-group 72.X.X.71 ipsec-attributes
 pre-shared-key *
tunnel-group 173.X.X.69 type ipsec-l2l
tunnel-group 173.X.X.69 ipsec-attributes
 pre-shared-key *
tunnel-group rr-vpn type ipsec-ra
tunnel-group rr-vpn general-attributes
 address-pool vpnpool
 default-group-policy rr-vpn
tunnel-group rr-vpn ipsec-attributes
 pre-shared-key *
tunnel-group 70.X.X.194 type ipsec-l2l
tunnel-group 70.X.X.194 ipsec-attributes
 pre-shared-key *
prompt hostname context

6 Replies 6

Vishnu Sharma
Level 1
Level 1

Hi,

 

Could you please share output of following commands when connect to the ASA and pinging (inside interface of the ASA) constantly.

 

Show crypto isa sa

show crypto ipsec sa

show run route

If you receive response from the inside interface then try to ping anything further.

 

Vishnu

Here are the results of the commands you requested. I'm not able to ping either direction.

Thanks,

James

 

3118-FWL001# sho cry isa sa

   Active SA: 5
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5

1   IKE Peer: 50.34.254.58
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 173.10.71.69
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: 75.151.109.253
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
4   IKE Peer: 70.99.88.194
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
5   IKE Peer: 216.211.143.85
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
3118-FWL001# sho cry ips sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
      current_peer: 216.211.143.85, username: kevin
      dynamic allocated peer ip: 192.168.20.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: CBF94621

    inbound esp sas:
      spi: 0x8D8279CA (2374138314)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 200, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28715
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCBF94621 (3422111265)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 200, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28715
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162

      access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 50.34.254.58

      #pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573
      #pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: FE16571B

    inbound esp sas:
      spi: 0x78BD7E4F (2025684559)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 86, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4263158/5788)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xFE16571B (4262876955)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 86, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4064653/5788)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162

      access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
      current_peer: 70.99.88.194

      #pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814
      #pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 533F55E1

    inbound esp sas:
      spi: 0xE2F461AD (3807666605)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 194, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4273818/27167)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x533F55E1 (1396659681)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 194, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4266133/27167)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162

      access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 75.151.109.253

      #pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718
      #pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 8D74AC18

    inbound esp sas:
      spi: 0x0CF7F70B (217577227)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 195, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274490/23242)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x8D74AC18 (2373233688)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 195, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4270718/23242)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162

      access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      current_peer: 173.10.71.69

      #pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935
      #pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 2E8A6147

    inbound esp sas:
      spi: 0x467968AB (1182361771)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 154, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4270213/18597)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x2E8A6147 (780820807)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 154, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4162093/18597)
         IV size: 16 bytes
         replay detection support: Y
3118-FWL001# sho run route
route outside 0.0.0.0 0.0.0.0 199.21.66.161 1

Hi,

 

I see that only one user is connected and it with the ip address: 216.211.143.85

When I see Ipsec sa's for the same peer, I see that the SA's are up but encaps/decaps is still 0. 

The ip address assigned to the client can be seen in the output of show crypto ipsec sa: dynamic allocated peer ip: 192.168.20.2

 

Try to ping this ip address making inside interface as the source and then run "show crypto ipsec sa" and see if there is any increase in encaps and decaps. 

 

Also, I would suggest you to connect from a different machine and check if this works or not. If it still does not work then please get me output of the command:

packet-tracer in inside icmp 192.168.10.10 8 0 192.168.20.x detail. Here 192.168.20.x is the ip address assigned  to the external VPN client.

 

Vishnu

I have a customer who's seeing the same behavior. Connects, unable to reach anything on the 192.168.10.x network.

The requested information is below.

 

3118-FWL001# ping inside 192.168.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
3118-FWL001# sho cry ips sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
      current_peer: 216.211.143.85, username: kevin
      dynamic allocated peer ip: 192.168.20.2

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 49B2A368

    inbound esp sas:
      spi: 0xE5F78E93 (3858206355)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
3118-FWL001# packet-tracer in inside icmp 192.168.10.10 8 0 192.168.20.2 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x354d568, priority=1, domain=permit, deny=false
        hits=113261577, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.20.2    255.255.255.255 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x3550890, priority=0, domain=permit-ip-option, deny=true
        hits=4663836, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x358aef8, priority=70, domain=inspect-icmp, deny=false
        hits=1, user_data=0x358ad58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x3da47a0, priority=70, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0x3da4600, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list inside_nat0_outbound
  match ip inside 192.168.10.0 255.255.255.0 outside 192.168.20.0 255.255.255.0
    NAT exempt
    translate_hits = 8, untranslate_hits = 119
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x36bbab0, priority=6, domain=nat-exempt, deny=false
        hits=7, user_data=0x36bba40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.10.0, mask=255.255.255.0, port=0
        dst ip=192.168.20.0, mask=255.255.255.0, port=0

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (199.21.66.162 [Interface PAT])
    translate_hits = 88, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x36bf688, priority=1, domain=nat, deny=false
        hits=88, user_data=0x36bf618, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x36bf378, priority=1, domain=host, deny=false
        hits=133, user_data=0x36bef30, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x3ce31f8, priority=0, domain=host-limit, deny=false
        hits=4352254, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x3e8a9d0, priority=70, domain=encrypt, deny=false
        hits=1, user_data=0x3b77084, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.20.2, mask=255.255.255.255, port=0

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x3e993b0, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=1, user_data=0x3b9e11c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.20.2, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x35869c8, priority=0, domain=permit-ip-option, deny=true
        hits=5523984, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5990975, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I see this in the output when you pinged from inside interface of the ASA:

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0

 

i.e. the traffic is getting encrypted when traffic is going from the ASA to the client. Also, I see that in Packet tracer command output, everything is being permitted :

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

Please share your IPSec client version. Make sure that you are using latest version of IPsec VPN Client. 

Also, when you ping from the VPN client machine, open vpn client and press (cntrl+s) and you will be able to see if packets are getting encrypted or not. 

 

If this does not work then you will have to tunnelall your traffic and internet access should be given through the ASA.

 

Vishnu

I'm running 5.0.07.0440 on my machine.

Below are the results of a ping test from my machine to 192.168.10.1. Packets are encrypted, but nothing is getting to the ASA - no increments at all on the IPSec SA.

Thanks,

James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: