01-30-2013 03:51 AM - edited 02-21-2020 06:40 PM
Good afternoon I was wondering if anyone could help me resolve this problem I have created a VPN tunnel between a UC540 and ASA running software version 9.1, I am unable to ping from the outside from a network 192.168.10.0 / 24 coming in on the outside interface to the inside network 172.16.1.0 /24. Because I am new to the ASA configuration I was hoping someone could provide me with a few pointers, I would be grateful. I have tried various commands and some of them may not be necessary. I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:
ciscoasa(config)# packet-tracer input outside icmp 192.168.10.1 0 0 172.16.1.2$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.1.2/0 to 172.16.1.2/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 115 in interface outside
access-list 115 extended permit ip 192.168.10.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc077c78, priority=13, domain=permit, deny=false
hits=7, user_data=0xca0ef3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
Static translate 192.168.10.1/0 to 192.168.10.1/0
Forward Flow based lookup yields rule:
in id=0xc8861818, priority=6, domain=nat, deny=false
hits=14, user_data=0xcb967660, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcba037b8, priority=0, domain=nat-per-session, deny=true
hits=113, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0436b8, priority=0, domain=inspect-ip-options, deny=true
hits=160, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc885f610, priority=70, domain=inspect-icmp, deny=false
hits=11, user_data=0xcc626368, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc6313d8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=2, user_data=0x26ccc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any help would be much appreciated. Thank you.
01-31-2013 04:34 AM
I have exactly the same problem.
02-01-2013 01:10 PM
Hi,
the packet-tracer result is expected, as the VPN traffic doesn't reach the outside as you simulated in the packet-tracer, instead it comes with source IP as the peer and destination IP as the outside.
i advise you, don't use packet-tracer for VPN traffic coming encrypted to an interface .
----------
Mashal
02-04-2013 01:53 AM
Thanks for your reply Mashal I'll bear your advice in mind for future reference.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: