07-03-2008 09:57 AM - edited 03-11-2019 06:09 AM
Hello all,
My PIX 515-E (7.2) blocks IP addresses assigned to Remote VPN users. It seems that blocked IP address are chosen randomly and they are accumulating overtime. I didn't pay attention to it until number of blocked IP addresses become significant. The only way to figure out which IP address is blocked is to run packet-tracer.
For example:
10.100.0.100 -- internal address,
10.100.5.167 -- address assigned to Remote VPN client from 10.100.5/24 pool:
PIX# packet-tracer input inside icmp 10.100.0.100 8 0 10.100.5.167 detail
[...]
Phase: 9
Type: ACCESS-LIST
Subtype: ipsec-user
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b29390, priority=69, domain=ipsec-user, deny=true
hits=210, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.100.5.167, mask=255.255.255.255, port=0
[...]
There are also related messages in logs, when packets are blocked by the ACL.
%PIX-3-106014: Deny inbound icmp src inside:10.100.0.100 dst outside:10.100.5.167 (type 8, code 0)
At the same time, IP address 10.100.5.166 is not blocked, and ACL above is not even mentioned in packet-tracer output. I have about 30 addresses blocked from 255 address pool.
It seems that some hidden dynamic ACL blocks the address. Can anybody explain why this is happening? Is there a way to show such dynamic ACLs, or reset them?
Thank you,
--fedya
07-03-2008 10:39 AM
hi, fedya
show the configuration.
07-03-2008 12:05 PM
07-03-2008 12:58 PM
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
07-07-2008 05:36 AM
These lines look pretty normal to me. This is where dynamic crypto map gets attached to crypto map with lowest priority, and then crypto map is attached to outside interface. Or am I missing something?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide