11-17-2011 09:00 AM
Hi. I'm creating a VPN site-to-site tunnel between two locations(one under my control, other side is controlled by a bussines partner). On my side I have an ASA 5510 Version 8.2(3).
I have entered the configuration thrugh CLI and when I wanted to test the configuration through packet tracer(because other side isn't configured yet) it says the following:
Drop-reason: (acl-drop) Flow is denied by configured rule
I think I got everything on right but no matter what I cannot get a pass through the packet tracer. It seems that an ACL is dropping the traffic, at least that is my interpretation. The trouble is I don't think that is correct as on my inside interface all traffic is allowed.
My VPN config is as follows(relevant info only):
access-list crypto_ACL extended permit ip x.x.x.x 255.254.0.0 y.y.y.y 255.255.255.0
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.254.0.0 y.y.y.y 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto isakmp policy 70
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto map VPN 120 match address crypto_ACL
crypto map VPN 120 set pfs group5
crypto map VPN 120 set peer x.x.x.x
crypto map VPN 120 set transform-set X_transform
crypto ipsec transform-set X_transform esp-aes esp-sha-hmac
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *********
Any help on this would be most welcome.
11-17-2011 11:02 AM
Hi Igor,
2 things in relates to VPN config..
1. Have you enabled isakmp on outside interface?
2. You need to apply crypto map 'VPN' to outside interface.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
If all are in pace and still see the acl deny, then it may relates to different IP source.
hth
MS
11-17-2011 11:15 AM
The crypto map is applied to the outside interface and isakmp is enabled on the outside interface. Other VPN tunnels are working all right.
11-17-2011 01:03 PM
Then I would configure the other end see if there is any issue in passing the traffic across the tunnel.
Thx
MS
11-22-2011 02:09 AM
The network administrator for the other side of the VPN tunnel contacted me and it seems that the problem is on the other side.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide