04-15-2017 08:46 PM
ASA 5506-X with 9.6(1) connecting to remote strongswan, attempting to route all traffic on specific subnet over the VPN and out.
I know pretty much nothing about this, so it's been a struggle, but I've managed to get the tunnel itself established. However, I can't pass traffic though it.
Running a packet tracer using a source on the subnet in question to an external IP shows the packet being allowed over the VPN, but then being dropped by some ACL:
Phase: 8
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac0c8f660, priority=12, domain=filter-aaa, deny=true
hits=3782, user_data=0x2aaabb918c40, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Full running config and packet trace are attached.
For the life of me, I can't figure out what ACL is dropping this. I've attempted the following to no effect:
1. Removing the vpn-filter from the 'strongswan' group-policy completely
2. Creating a vpn-filter allowing any any
3. Creating a global ACL to allow any any
4. Creating an outbound ACL on my outside interface to allow any any
I'm pretty certain that I'm just missing something that would be obvious to someone who knows what their doing, but my Google-foo has failed me on this one, so I'd appreciate any help.
Thanks!
Solved! Go to Solution.
04-18-2017 01:11 AM
You don't need vpn-filter at all. You can delete that.
The issue is the NAT. You are NATing your private IP addresses to the outside IP of your ASA, but the VPN is only for the inside private IP addresses.
If you delete all three "nat" lines it will be happy.
04-15-2017 09:49 PM
This would normally specify the destination encryption domain.
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 any
What is the remote subnet you are wanting to access?
04-17-2017 09:07 AM
Hi Philip,
I'm trying to backhaul all traffic from that subnet over the VPN, so the destination is 0.0.0.0/0. Is there a more proper way to do that?
From the packet tracer, it seems that encryption is getting triggered as expected, but the traffic is being dropped from an ACL (which _seems_ to be the vpn-filter judging from where it happens, but I've attempted both removing the vpn-filter and creating an ACL that allows any any).
Thanks!
04-18-2017 01:11 AM
You don't need vpn-filter at all. You can delete that.
The issue is the NAT. You are NATing your private IP addresses to the outside IP of your ASA, but the VPN is only for the inside private IP addresses.
If you delete all three "nat" lines it will be happy.
04-18-2017 09:16 AM
YESSSSSSS
That was it, thanks so much Philip!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide