cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
20000
Views
10
Helpful
3
Replies
sperry
Beginner

Vpn ipsec-tunnel-flow drop flow is denied by configured rule

Good afternoon I was wondering if anyone could help me resolve this problem I have created a VPN tunnel between a UC540 and ASA running software version 9.1, I am unable to ping from the outside from a network 192.168.10.0 / 24 coming in on the outside interface to the inside network 172.16.1.0 /24. Because I am new to the ASA configuration I was hoping someone could provide me with a few pointers, I would be grateful. I have tried various commands and some of them may not be necessary. I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:


ciscoasa(config)# packet-tracer input outside icmp 192.168.10.1 0 0 172.16.1.2$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.1.2/0 to 172.16.1.2/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 115 in interface outside
access-list 115 extended permit ip 192.168.10.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc077c78, priority=13, domain=permit, deny=false
        hits=7, user_data=0xca0ef3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local local destination static remote remote
Additional Information:
Static translate 192.168.10.1/0 to 192.168.10.1/0
Forward Flow based lookup yields rule:
in  id=0xc8861818, priority=6, domain=nat, deny=false
        hits=14, user_data=0xcb967660, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcba037b8, priority=0, domain=nat-per-session, deny=true
        hits=113, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc0436b8, priority=0, domain=inspect-ip-options, deny=true
        hits=160, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xc885f610, priority=70, domain=inspect-icmp, deny=false
        hits=11, user_data=0xcc626368, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc6313d8, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x26ccc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=172.16.1.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any help would be much appreciated. Thank you.

3 REPLIES 3

I have exactly the same problem.

malshbou
Beginner

Hi,

the packet-tracer result is expected, as the VPN traffic doesn't reach the outside as you simulated in the packet-tracer, instead it comes with source IP as the peer and destination IP as the outside.

i advise you, don't use packet-tracer for VPN traffic coming encrypted to an interface .

----------

Mashal

------------------ Mashal Shboul

Thanks for your reply Mashal I'll bear your advice in mind for future reference. 

Content for Community-Ad