Pix to ASA VPN Issue

Unanswered Question
Jun 11th, 2009

I am having trouble after switching from a PIX to a new ASA. I used the migration utility and about half the VPNs are working on the ASA and half get an error like

(acl-drop) Flow is denied by configured rule

when I do a packet-tracer command to try to simulate traffic for the VPN.

New ASA is 5510 running 8.04

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 06/11/2009 - 10:28

can you post the relevant portions of your config...both from the PIX and the ASA.

bschear Thu, 06/11/2009 - 12:07

I have more details on what I am finding now. I have some VPN tunnels that NAT an external to an internal address and some that don't. The ones that NAT that internal to external for their tunnels are working while the ones that don't aren't working. Here are relevant portions of the config on the ASA.

access-list 115 extended permit ip host 192.168.1.7 host 172.17.31.218

access-list 115 extended permit ip host 192.168.1.7 host 172.17.31.212

access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.199

access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.75

access-list 40 extended permit ip host 192.168.1.7 host 10.48.239.56

access-list 101 extended permit ip host 192.168.12.5 host 10.105.130.165

access-list 101 extended permit ip host 192.168.12.5 host 172.31.88.86

global (outside) 1 interface

nat (inside) 0 access-list 115

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 192.168.12.5 192.168.1.7 netmask 255.255.255.255

crypto map toCovenant 30 match address 101

crypto map toCovenant 30 set peer 199.250.65.102

crypto map toCovenant 30 set transform-set covset

crypto map toCovenant 40 match address 40

crypto map toCovenant 40 set peer 12.39.198.46

crypto map toCovenant 40 set transform-set labcorpset

PIX config is same in these areas

bschear Thu, 06/11/2009 - 13:30

I found something that might be causing it. I see in the denied it is denying 192.168.12.5 to there which makes sense because these are ones that aren't using NAT and 192.168.1.7 should be bypassing NAT based on the config I sent earlier. Any ideas why it isn't working?

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd5b24d68, priority=70, domain=encrypt, deny=false

hits=1, user_data=0x0, cs_id=0xd5864cf8, reverse, flags=0x0, protocol=0

src ip=192.168.12.5, mask=255.255.255.255, port=0

dst ip=10.105.130.165, mask=255.255.255.255, port=0, dscp=0x0

Actions

This Discussion