Site to Site VPN ASA5500 to a VPN Concentrator

Unanswered Question
Mar 22nd, 2010

Good Afternoon,

I woulder if any one could help we are trying to get a Site to Site VPN Tunnel up and running between a couple of our sites but it appears that it isn't leaving our firewall.

doing a packet trace we get this:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip object-group SystemsServers any
access-list Inside_access_in remark Requires Access out to obtain Software updates from HP, Observer and other apps.
object-group network SystemsServers
description: Systems and Comms server that download apps.
network-object host BRSYSTEM3
network-object host BRSYSTEM1
network-object host BRSYSTEM
network-object host KESYSTEM2
network-object host KESYSTEM1
network-object host BRInsight
network-object host BRSYSTEM2
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x5fa8e10, priority=12, domain=permit, deny=false
hits=9749, user_data=0x5fa8098, cs_id=0x0, flags=0x0, protocol=0
src ip=KESYSTEM2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x53d6748, priority=0, domain=permit-ip-option, deny=true
hits=137989867, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x5b1ea08, priority=70, domain=encrypt, deny=false
hits=549, user_data=0x0, cs_id=0x5d42738, reverse, flags=0x0, protocol=0
src ip=KESYSTEM2, mask=255.255.255.255, port=0
dst ip=10.17.124.67, mask=255.255.255.255, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have attached a clean copy of our running config.

Thank you in advance if you could help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 03/22/2010 - 22:48

Crypto ACL needs to be mirror image between the ASA and VPN Concentrator.

Currently on the ASA you configured the following:

access-list outside_1_cryptomap extended permit ip any host 10.17.124.67
access-list outside_1_cryptomap extended permit icmp any host 10.17.124.67
access-list outside_1_cryptomap extended permit icmp host KESYSTEM2 host 10.17.124.67
access-list outside_1_cryptomap extended permit ip host KESYSTEM2 host 10.17.124.67

It is really not recommended to configure other protocol than IP in the crypto ACL, and also the "any" keyword.

Normally, you would configure LAN from the ASA towards LAN of the VPN Concentrator, and vice versa on the Concentrator.

Here is a configuration example for Site-to-Site between ASA and VPN Concentrator:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

Hope it helps.

Actions

This Discussion