cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20987
Views
10
Helpful
3
Replies

Vpn ipsec-tunnel-flow drop flow is denied by configured rule

sperry
Level 1
Level 1

Good afternoon I was wondering if anyone could help me resolve this problem I have created a VPN tunnel between a UC540 and ASA running software version 9.1, I am unable to ping from the outside from a network 192.168.10.0 / 24 coming in on the outside interface to the inside network 172.16.1.0 /24. Because I am new to the ASA configuration I was hoping someone could provide me with a few pointers, I would be grateful. I have tried various commands and some of them may not be necessary. I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:


ciscoasa(config)# packet-tracer input outside icmp 192.168.10.1 0 0 172.16.1.2$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.1.2/0 to 172.16.1.2/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 115 in interface outside
access-list 115 extended permit ip 192.168.10.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc077c78, priority=13, domain=permit, deny=false
        hits=7, user_data=0xca0ef3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
Static translate 192.168.10.1/0 to 192.168.10.1/0
Forward Flow based lookup yields rule:
in  id=0xc8861818, priority=6, domain=nat, deny=false
        hits=14, user_data=0xcb967660, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcba037b8, priority=0, domain=nat-per-session, deny=true
        hits=113, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc0436b8, priority=0, domain=inspect-ip-options, deny=true
        hits=160, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xc885f610, priority=70, domain=inspect-icmp, deny=false
        hits=11, user_data=0xcc626368, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc6313d8, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x26ccc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any help would be much appreciated. Thank you.

3 Replies 3

I have exactly the same problem.

malshbou
Level 1
Level 1

Hi,

the packet-tracer result is expected, as the VPN traffic doesn't reach the outside as you simulated in the packet-tracer, instead it comes with source IP as the peer and destination IP as the outside.

i advise you, don't use packet-tracer for VPN traffic coming encrypted to an interface .

----------

Mashal

------------------ Mashal Shboul

Thanks for your reply Mashal I'll bear your advice in mind for future reference. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: