07-31-2015 10:41 AM
Hi I want to establish a site-to site VPN between ASA & VMWare Vcloud which is not getting established. Below are some outputs.
I don't know what is happening here, debug crypto isakmp does not show anything as well. i have tried to generate traffic as well.
6 Jul 31 2015 10:35:11 302013 10.16.40.66 54508 192.168.0.6 80 Built outbound TCP connection 244154730 for outside:192.168.0.6/80 (192.168.0.6/80) to inside:10.16.40.66/54508 (X.X.X.135/54508)
traffic from inside is NAT'd to x.x.x.135 while the actual interface IP and VPN configuration is done for x.x.x.131
FW/act# packet-tracer input inside tcp 10.0.0.8 www 192.168.0.6 www d$ Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff31ad44b0, priority=13, domain=capture, deny=false hits=964706265, user_data=0x7fff31766230, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2e6d45a0, priority=1, domain=permit, deny=false hits=8338632634, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 outside Phase: 4 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static CLOUD-PRIVATE CLOUD-PRIVATE no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 192.168.0.6/80 to 192.168.0.6/80 Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any object CLOUD-PRIVATE Additional Information: Forward Flow based lookup yields rule: in id=0x7fff39078980, priority=13, domain=permit, deny=false hits=175, user_data=0x7fff26dcfc00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static CLOUD-PRIVATE CLOUD-PRIVATE no-proxy-arp route-lookup Additional Information: Static translate 10.0.0.8/80 to 10.0.0.8/80 Forward Flow based lookup yields rule: in id=0x7fff328bd9b0, priority=6, domain=nat, deny=false hits=2, user_data=0x7fff355ed5b0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=net-10.0.0.0-8, mask=255.0.0.0, port=0, tag=0 dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=outside Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2e110fc0, priority=1, domain=nat-per-session, deny=true hits=419704229, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2e6dd570, priority=0, domain=inspect-ip-options, deny=true hits=268406753, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 9 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff319b5bc0, priority=21, domain=lu, deny=true hits=68917269, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 10 Type: QOS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: out id=0x7fff2ebbab30, priority=72, domain=qos-per-class, deny=false hits=249826386, user_data=0x7fff2ebba6a0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Phase: 11 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7fff3313de60, priority=70, domain=encrypt, deny=false hits=3, user_data=0x0, cs_id=0x7fff374f4650, reverse, flags=0x0, protocol=0 src ip/id=net-10.0.0.0-8, mask=255.0.0.0, port=0, tag=0 dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
FW/act# packet-tracer input inside rawip 10.0.0.100 6 192.168.0.10 de$ Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fff31ad44b0, priority=13, domain=capture, deny=false hits=966923113, user_data=0x7fff31766230, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2e6d45a0, priority=1, domain=permit, deny=false hits=8339741044, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 outside Phase: 4 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static CLOUD-PRIVATE CLOUD-PRIVATE no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 192.168.0.10/0 to 192.168.0.10/0 Phase: 5 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fff2e6e0500, priority=500, domain=permit, deny=true hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
07-31-2015 10:22 PM
Have you checked your Crypto ACL's.?
Thanks
Hitesh
08-01-2015 01:06 AM
This is how the configuration looks like
object-group network group.internal-servers network-object object nt-network object network nt-network subnet 10.220.0.0 255.255.255.0 object-group network group.external-servers network-object object VPN-network object network VPN-network subnet 172.27.222.0 255.255.255.0 object network PRIVATE subnet 192.168.0.0 255.255.255.0
ACL's
access-list outside_cryptomap extended permit ip object-group group.internal-servers object-group group.external-servers access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 object PRIVATE
Crypto Map
crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set peer Y.Y.Y.66 crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map 1 set security-association lifetime seconds 86400 crypto map outside_map 2 match address outside_cryptomap_1 crypto map outside_map 2 set peer X.X.X.40 crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map 2 set security-association lifetime seconds 86400 crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer vpn-book-cci crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set peer se-vpn-ssc crypto map outside_map 60 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map 60 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside
It is x.x.x.40 that is failing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide