06-11-2009 09:27 AM
I am having trouble after switching from a PIX to a new ASA. I used the migration utility and about half the VPNs are working on the ASA and half get an error like
(acl-drop) Flow is denied by configured rule
when I do a packet-tracer command to try to simulate traffic for the VPN.
New ASA is 5510 running 8.04
06-11-2009 10:28 AM
can you post the relevant portions of your config...both from the PIX and the ASA.
06-11-2009 12:07 PM
I have more details on what I am finding now. I have some VPN tunnels that NAT an external to an internal address and some that don't. The ones that NAT that internal to external for their tunnels are working while the ones that don't aren't working. Here are relevant portions of the config on the ASA.
access-list 115 extended permit ip host 192.168.1.7 host 172.17.31.218
access-list 115 extended permit ip host 192.168.1.7 host 172.17.31.212
access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.199
access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.75
access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.56
access-list 101 extended permit ip host 192.168.12.5 host 10.105.130.165
access-list 101 extended permit ip host 192.168.12.5 host 172.31.88.86
global (outside) 1 interface
nat (inside) 0 access-list 115
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.12.5 192.168.1.7 netmask 255.255.255.255
crypto map toCovenant 30 match address 101
crypto map toCovenant 30 set peer 199.250.65.102
crypto map toCovenant 30 set transform-set covset
crypto map toCovenant 40 match address 40
crypto map toCovenant 40 set peer 12.39.198.46
crypto map toCovenant 40 set transform-set labcorpset
PIX config is same in these areas
06-11-2009 12:45 PM
06-11-2009 01:30 PM
I found something that might be causing it. I see in the denied it is denying 192.168.12.5 to there which makes sense because these are ones that aren't using NAT and 192.168.1.7 should be bypassing NAT based on the config I sent earlier. Any ideas why it isn't working?
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd5b24d68, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xd5864cf8, reverse, flags=0x0, protocol=0
src ip=192.168.12.5, mask=255.255.255.255, port=0
dst ip=10.105.130.165, mask=255.255.255.255, port=0, dscp=0x0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: