07-26-2010 07:51 PM - edited 02-21-2020 04:45 PM
I have a home lab setup with a PIX 515 running 8.03 code. I have made several changes over the past week and now when I terminate a VPN connection to the outside interface I am unable to hit any internal resources. My VPN connection is coming from a 10.22.254.0/24 trying to hit internal nodes at 10.22.1.0/24, see below. When I terminate a VPN connection against the inside interface it works, so I take it I'm dealing with a NAT issue? I don't have a clue why Phase 9 is failing:-\ Any help would be great!
-------
access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0
nat (inside) 0 access-list nonat
-------
global (outside) 1 interface
-------
access-list split extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
-------
packet-tracer input inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2bb3450, priority=0, domain=permit-ip-option, deny=true
hits=17005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x304ae48, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=17005, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list nonat
nat-control
match ip inside 10.22.1.0 255.255.255.0 outside 10.22.254.0 255.255.255.0
NAT exempt
translate_hits = 6, untranslate_hits = 5
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2be2a00, priority=6, domain=nat-exempt, deny=false
hits=5, user_data=0x2be2960, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.22.1.0, mask=255.255.255.0, port=0
dst ip=10.22.254.0, mask=255.255.255.0, port=0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0
nat-control
match ip inside 10.22.1.0 255.255.255.0 DMZ any
static translation to 10.22.1.0
translate_hits = 10, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2d52800, priority=5, domain=host, deny=false
hits=21654, user_data=0x2d51dc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.22.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (192.168.20.20 [Interface PAT])
translate_hits = 2909, untranslate_hits = 9
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2d4a7d0, priority=1, domain=nat, deny=false
hits=16973, user_data=0x2d4a730, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3328000, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x1efa0cc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.22.1.0, mask=255.255.255.0, port=0
dst ip=10.0.0.0, mask=255.0.0.0, port=0
Phase: 9
Type: ACCESS-LIST
Subtype: ipsec-user
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3329a48, priority=69, domain=ipsec-user, deny=true
hits=37, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.0.0.0, mask=255.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
07-29-2010 11:49 AM
No, the nonat ACL only requires defining traffic from the internal network to the
VPN pool. You should remove the other entries.
Remove:
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0
07-26-2010 08:12 PM
Could you check up with your vpn filter for the tunnel? It must be within your group-policy with the command vpn-filter value
For more info on vpn-filter:
07-27-2010 05:59 AM
I did not configuered a VPN filter for this Group Policy, see below.
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 4.2.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
I am receiving the following error when I ping into the tunnel, is this not a NAT issue?
3 Jul 27 2010 05:36:54 106014 Deny inbound icmp src outside:10.22.254.51 dst inside:10.22.1.15 (type 8, code 0)
07-27-2010 06:19 AM
It's very strange... If I do a continuous ping to the IP and it will eventually start responding after 10 minutes or so?
------------
c:\>ping 10.22.1.15 /t
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=61ms TTL=127
Reply from 10.22.1.15: bytes=32 time=52ms TTL=127
Reply from 10.22.1.15: bytes=32 time=98ms TTL=127
------------
Deny when telnetting to a port:
c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...
------------
2 Jul 27 2010 05:59:15 106001 10.22.254.51 3083 10.22.1.15 3389 Inbound TCP connection denied from 10.22.254.51/3083 to 10.22.1.15/3389 flags SYN on interface outside
------------
07-27-2010 06:31 AM
can you attach your entire config if its not a prob, u can mask the pub ip's
07-27-2010 09:55 AM
07-27-2010 07:50 AM
Can you post the "show run all group-policy" output?
07-27-2010 11:13 AM
can you run the following command and post the output of:
show run all | grep sysopt
Thanks.
07-27-2010 11:24 AM
Nothing displays.
# show run all | grep sysopt
#
The complete config is listed above.
07-27-2010 12:16 PM
Try configuring ICMP inspection...
policy-map global_policy
class inspection_default
inspect icmp
07-27-2010 12:31 PM
It is not an inspection rule. I can't hit any resources on the inside once I terminate my IPSec connection.
c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...
2 Jul 27 2010 12:13:52 106001 10.22.254.51 2936 10.22.1.15 3389 Inbound TCP connection denied from 10.22.254.51/2936 to 10.22.1.15/3389 flags SYN on interface outside
I added your policy commands and they did not fix the issue.
07-27-2010 12:28 PM
It looks like at phase 9 your traffic is blocked by an ACL. Your VPN traffic should not be subjected to ACLs. This command may help you here:
sysopt connection permit-vpn
Here's more on the command:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217
Good luck.
07-27-2010 12:35 PM
I enabled the command and I'm still being denied.
#sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
07-27-2010 12:39 PM
Can you disable nat-control?
07-27-2010 12:43 PM
#no nat-control
Same issue..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide