Pix to ASA VPN Issue

Unanswered Question
Jun 11th, 2009
User Badges:

I am having trouble after switching from a PIX to a new ASA. I used the migration utility and about half the VPNs are working on the ASA and half get an error like


(acl-drop) Flow is denied by configured rule


when I do a packet-tracer command to try to simulate traffic for the VPN.


New ASA is 5510 running 8.04

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 06/11/2009 - 10:28
User Badges:
  • Blue, 1500 points or more

can you post the relevant portions of your config...both from the PIX and the ASA.

bschear Thu, 06/11/2009 - 12:07
User Badges:

I have more details on what I am finding now. I have some VPN tunnels that NAT an external to an internal address and some that don't. The ones that NAT that internal to external for their tunnels are working while the ones that don't aren't working. Here are relevant portions of the config on the ASA.


access-list 115 extended permit ip host 192.168.1.7 host 172.17.31.218

access-list 115 extended permit ip host 192.168.1.7 host 172.17.31.212


access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.199

access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.75

access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.56


access-list 101 extended permit ip host 192.168.12.5 host 10.105.130.165

access-list 101 extended permit ip host 192.168.12.5 host 172.31.88.86


global (outside) 1 interface

nat (inside) 0 access-list 115

nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) 192.168.12.5 192.168.1.7 netmask 255.255.255.255


crypto map toCovenant 30 match address 101

crypto map toCovenant 30 set peer 199.250.65.102

crypto map toCovenant 30 set transform-set covset


crypto map toCovenant 40 match address 40

crypto map toCovenant 40 set peer 12.39.198.46

crypto map toCovenant 40 set transform-set labcorpset


PIX config is same in these areas










bschear Thu, 06/11/2009 - 13:30
User Badges:

I found something that might be causing it. I see in the denied it is denying 192.168.12.5 to there which makes sense because these are ones that aren't using NAT and 192.168.1.7 should be bypassing NAT based on the config I sent earlier. Any ideas why it isn't working?



Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd5b24d68, priority=70, domain=encrypt, deny=false

hits=1, user_data=0x0, cs_id=0xd5864cf8, reverse, flags=0x0, protocol=0

src ip=192.168.12.5, mask=255.255.255.255, port=0

dst ip=10.105.130.165, mask=255.255.255.255, port=0, dscp=0x0


Actions

This Discussion