01-30-2013 03:51 AM - edited 02-21-2020 06:40 PM
Good afternoon I was wondering if anyone could help me resolve this problem I have created a VPN tunnel between a UC540 and ASA running software version 9.1, I am unable to ping from the outside from a network 192.168.10.0 / 24 coming in on the outside interface to the inside network 172.16.1.0 /24. Because I am new to the ASA configuration I was hoping someone could provide me with a few pointers, I would be grateful. I have tried various commands and some of them may not be necessary. I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:
ciscoasa(config)# packet-tracer input outside icmp 192.168.10.1 0 0 172.16.1.2$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.1.2/0 to 172.16.1.2/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 115 in interface outside
access-list 115 extended permit ip 192.168.10.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc077c78, priority=13, domain=permit, deny=false
hits=7, user_data=0xca0ef3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
Static translate 192.168.10.1/0 to 192.168.10.1/0
Forward Flow based lookup yields rule:
in id=0xc8861818, priority=6, domain=nat, deny=false
hits=14, user_data=0xcb967660, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcba037b8, priority=0, domain=nat-per-session, deny=true
hits=113, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0436b8, priority=0, domain=inspect-ip-options, deny=true
hits=160, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc885f610, priority=70, domain=inspect-icmp, deny=false
hits=11, user_data=0xcc626368, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc6313d8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=2, user_data=0x26ccc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any help would be much appreciated. Thank you.
01-31-2013 04:34 AM
I have exactly the same problem.
02-01-2013 01:10 PM
Hi,
the packet-tracer result is expected, as the VPN traffic doesn't reach the outside as you simulated in the packet-tracer, instead it comes with source IP as the peer and destination IP as the outside.
i advise you, don't use packet-tracer for VPN traffic coming encrypted to an interface .
----------
Mashal
02-04-2013 01:53 AM
Thanks for your reply Mashal I'll bear your advice in mind for future reference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide