Solved: Unable to Ping Hosts Through IPSec Tunnel

cfinotti22 · ‎07-26-2010

I have a home lab setup with a PIX 515 running 8.03 code. I have made several changes over the past week and now when I terminate a VPN connection to the outside interface I am unable to hit any internal resources. My VPN connection is coming from a 10.22.254.0/24 trying to hit internal nodes at 10.22.1.0/24, see below. When I terminate a VPN connection against the inside interface it works, so I take it I'm dealing with a NAT issue? I don't have a clue why Phase 9 is failing:-\ Any help would be great!

-------

access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

-------

global (outside) 1 interface

-------

access-list split extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

-------

packet-tracer input inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2bb3450, priority=0, domain=permit-ip-option, deny=true

hits=17005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x304ae48, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=17005, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

nat-control

match ip inside 10.22.1.0 255.255.255.0 outside 10.22.254.0 255.255.255.0

NAT exempt

translate_hits = 6, untranslate_hits = 5

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2be2a00, priority=6, domain=nat-exempt, deny=false

hits=5, user_data=0x2be2960, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.22.1.0, mask=255.255.255.0, port=0

dst ip=10.22.254.0, mask=255.255.255.0, port=0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

nat-control

match ip inside 10.22.1.0 255.255.255.0 DMZ any

static translation to 10.22.1.0

translate_hits = 10, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2d52800, priority=5, domain=host, deny=false

hits=21654, user_data=0x2d51dc8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.22.1.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (192.168.20.20 [Interface PAT])

translate_hits = 2909, untranslate_hits = 9

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2d4a7d0, priority=1, domain=nat, deny=false

hits=16973, user_data=0x2d4a730, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3328000, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x1efa0cc, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.22.1.0, mask=255.255.255.0, port=0

dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3329a48, priority=69, domain=ipsec-user, deny=true

hits=37, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.0.0.0, mask=255.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Antonio Knox · ‎07-29-2010

No, the nonat ACL only requires defining traffic from the internal network to the

VPN pool. You should remove the other entries.

Remove:

access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

View solution in original post

rahgovin · ‎07-26-2010

Could you check up with your vpn filter for the tunnel? It must be within your group-policy with the command vpn-filter value. If it is present, remove the same with the command vpn-filter none.

For more info on vpn-filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

cfinotti22 · ‎07-27-2010

I did not configuered a VPN filter for this Group Policy, see below.

group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 4.2.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

I am receiving the following error when I ping into the tunnel, is this not a NAT issue?
3 Jul 27 2010 05:36:54 106014 Deny inbound icmp src outside:10.22.254.51 dst inside:10.22.1.15 (type 8, code 0)

cfinotti22 · ‎07-27-2010

It's very strange... If I do a continuous ping to the IP and it will eventually start responding after 10 minutes or so?

------------
c:\>ping 10.22.1.15 /t

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=61ms TTL=127
Reply from 10.22.1.15: bytes=32 time=52ms TTL=127
Reply from 10.22.1.15: bytes=32 time=98ms TTL=127

------------
Deny when telnetting to a port:

c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...

------------

2 Jul 27 2010 05:59:15 106001 10.22.254.51 3083 10.22.1.15 3389 Inbound TCP connection denied from 10.22.254.51/3083 to 10.22.1.15/3389 flags SYN on interface outside

------------

Jitendriya Athavale · ‎07-27-2010

can you attach your entire config if its not a prob, u can mask the pub ip's

cfinotti22 · ‎07-27-2010

Thanks for the quick responses!!

Sorry it took so long I had to scrub the config and make a few changes.

rahgovin · ‎07-27-2010

Can you post the "show run all group-policy" output?

Antonio Knox · ‎07-27-2010

can you run the following command and post the output of:

show run all | grep sysopt

Thanks.

cfinotti22 · ‎07-27-2010

Nothing displays.

# show run all | grep sysopt
#

The complete config is listed above.

wbarboza · ‎07-27-2010

Try configuring ICMP inspection...

policy-map global_policy
class inspection_default
inspect icmp

cfinotti22 · ‎07-27-2010

It is not an inspection rule. I can't hit any resources on the inside once I terminate my IPSec connection.

c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...

2 Jul 27 2010 12:13:52 106001 10.22.254.51 2936 10.22.1.15 3389 Inbound TCP connection denied from 10.22.254.51/2936 to 10.22.1.15/3389 flags SYN on interface outside

I added your policy commands and they did not fix the issue.

Antonio Knox · ‎07-27-2010

It looks like at phase 9 your traffic is blocked by an ACL. Your VPN traffic should not be subjected to ACLs. This command may help you here:

sysopt connection permit-vpn

Here's more on the command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

Good luck.

cfinotti22 · ‎07-27-2010

I enabled the command and I'm still being denied.

#sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn

wbarboza · ‎07-27-2010

Can you disable nat-control?

cfinotti22 · ‎07-27-2010

#no nat-control

Same issue..