02-10-2015 09:12 AM
I have a vpn beteen two sites which is working fine. traffic is initiated from site A and can successfully connect to site B ok.
I have just tried to configure traffic from site B to site A but its failing at the vpn encrypt point. I have checked the acl's and they match:
site A (PIX)
crypto acl
access-list site_a permit tcp host 10.51.3.32 10.0.0.0 255.0.0.0 eq 3389
no nat
access-list no_nat permit ip host 10.51.3.32 10.0.0.0 255.0.0.0
site B (ASA)
crypto acl
access-list site_b extended permit tcp 10.0.0.0 255.0.0.0 host 10.51.3.32 eq 3389
no nat
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32
the only difference i can see is the extended acl but it works ok in one direction?
thanks
Solved! Go to Solution.
02-11-2015 08:02 AM
Hi,
Using port based ACLs for crypto map is not recommended, use IP access-lists and configure VPN filters to implement port restrictions.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116639-technote-asa-00.html
Regards,
Abaji
02-11-2015 08:02 AM
Hi,
Using port based ACLs for crypto map is not recommended, use IP access-lists and configure VPN filters to implement port restrictions.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116639-technote-asa-00.html
Regards,
Abaji
02-11-2015 09:18 AM
Hi Abaji
Thanks for your responce.
ive changed the acl but it is still failing at the same point. config and capture below:
site A
access-list site_a permit ip host 10.51.3.32 10.0.0.0 255.0.0.0
access-list no_nat permit ip host 10.51.3.32 10.0.0.0 255.0.0.0
site B
access-list site_b extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32
SITEB/pri/act# packet-tracer input inside tcp 10.0.0.0 555 10.51.3.32 3389
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_in in interface inside
access-list acl_in extended permit ip 10.0.0.0 255.0.0.0 host 10.51.3.32
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.0.0 255.255.0.0 outside 10.51.0.0 255.255.0.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 dmz1 any
static translation to 10.0.0.0
translate_hits = 163183, untranslate_hits = 3799793
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.0.0.0 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 1 (193.x.x.x)
translate_hits = 80872410, untranslate_hits = 9060235
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-21-2015 07:29 AM
Could you check if the tunnel is up?
show cry isa sa
show cry ips sa peer <peer ip>
if the tunnel is not up use following debugs
debug cry cond peer <peer ip>
debug cry isa 127
debug cry ips 127
after debugs are collected type "undebug all"
03-23-2015 12:47 PM
Hi Abaji
changing the acl to full ip did work. I left it and it was working when i went to look at it again.
thanks
03-21-2015 09:12 AM
Packet tracer will keep showing a drop until the tunnel comes up. If the tunnel does not come up, check vpn related logs and debugs.
03-21-2015 07:23 PM
Hi there,
- - - - - - - - - - - - - - - - - -
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.0.0 255.255.0.0 outside 10.51.0.0 255.255.0.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
- - - - - - - - - - - - - - - - - -
I suspect that you might have another tunnel routes over lap with Site A.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide