cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6902
Views
0
Helpful
17
Replies

Site-to-Site VPN, pings being blocked by NAT/firewall?

ZoCaAdmin
Level 1
Level 1

Perhaps one of you can help me with the following challenge.

I'm setting up a site-to-site VPN, the router at SiteB says 'connected'. But I cannot connect pc's from SiteB to SiteA or viceversa.

Both sites have a cable modem in bridge/transparent-mode and a switch between the router and the PC's

Like so:

PC-A > SF200-48 Switch > 5525-x ASA 9.1 Routers > Cable modem > INTERNET > Cable modem > RV130W > Cisco 3550 switch > PC-B

I've configured a Site-to-site VPN on SiteA (ASA) with the setup wizard in the ASDM GUI-tool. After the official video walk-through: https://supportforums.cisco.com/videos/5933.
(With the 'Exempt ASA side host/network from address translation' enabled at the last step, because I don't want my NAT to block my VPN access)
SiteA uses the 172.16.x.x range for the VLAN's.
SiteA has multiple VLAN's configured, while SiteB has not.
SiteA has a long list of NAT-rules and access-rules for remote access and some servers. (Already configured before starting with the VPN.)

The RV130W at SiteB has no console access, i've configured a VPN to connect to SiteA via the somewhat limited webinterface.
SiteB has the IP range of 192.168.1.x.
After a while it said 'connected'. When I tried to ping a LAN ip address of a server at SiteA, I've got no response.
I've also tried pinging from SiteA to LAN IP's at SiteB, with no success.

Image, SiteB connected

In the ASA with ASDM, i've added a 'permit icmp from any to any' rule. But still no pings from the internal LAN at SiteA to B.
When I ping from 172.16.6.4 (SiteA) to 192.168.1.1 (The router at SiteB, INSIDE interface), I get:
"Reply from 192.168.1.1: Destination host unreachable." But most pings still time out with no reply at all. (So the router says that it cannot talk...?)

Image, VPN connection profile

Image ASDM dashboard

Image, allow icmp any-any

My ultimate goal is to connect the PC's at SiteB to the domain controller at SiteA.
And be able to remotely manage the SiteB network/pc's from SiteA. (Like with GPO's, wake on LAN, etc)
People working at SiteB need to be able to reach some internal webservers located at SiteA.

When this is working, i'm going to do the same to connect SiteC, which has a Cisco 870 ADSL modem/router.
I took a look at VTI (https://supportforums.cisco.com/blog/149426/advantages-vti-configuration-ipsec-tunnels), but I don't think the RV130W supports this.

Oh yeah, each site has its own VOIP running. I suppose that won't be a problem?

17 Replies 17

Marvin Rhoads
Hall of Fame
Hall of Fame

The permit icmp any any acl should not be necessary as the cryptomap acl governs behavior in the case of a site-site VPN.

I'd recommend you check the ASA's VPN configuration with packet-tracer and use something other than the inside interface of the remote router. Also check the Phase 1 and Phase 2 are as expected from the ASA.

Please share the output of the following to confirm the above checks:

packet-tracer input inside icmp 172.16.6.4 0 0 192.168.1.x
show crypto isakmp sa
show crypto ipsec sa

Thanks Marvin,

The packet-trace:

ASA-01-RO-PRI# packet-tracer input inside icmp 172.16.6.4 0 0 192.168.1.101

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.6.0_24 NETWORK_OBJ_172.16.6.0_24 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.1.101/0 to 192.168.1.101/0

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-01-RO-PRI#

The crypto output:

ASA-01-RO-PRI# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 217.100.X.X
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
ASA-01-RO-PRI# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag: OUTSIDE_map, seq num: 1, local addr: 95.97.x.x

access-list OUTSIDE_cryptomap extended permit ip 172.16.15.0 255.255.255.128 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.15.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 217.100.x.x

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 95.97.x.x/0, remote crypto endpt.: 217.100.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B8DB9AB5
current inbound spi : 65B4A5BB

inbound esp sas:
spi: 0x65B4A5BB (1706337723)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 5787648, crypto-map: OUTSIDE_map
sa timing: remaining key lifetime (sec): 27932
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB8DB9AB5 (3101399733)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 5787648, crypto-map: OUTSIDE_map
sa timing: remaining key lifetime (sec): 27930
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA-01-RO-PRI#

I've left the IKE policies at the default settings.

SiteA: both IKEv1 and IKEv2

SiteB: Exchange mode 'main'

I suppose I have to change some setting at SiteB, but i'm not sure which.

But why does the GUI say "connected", when the packet-trace Phase 4 is blocked?

Could you re-run packet-tracer with the added detail at the end?

Also when pinging from Site B,

In your ASA, does capture say anything more specific?

cap ASP type asp-drop all
show cap ASP | include 172.16.15

To clear cap:

clear cap ASP

//Cristian

Hi Cristian! It does say some security checks failed!

ASA-01-RO-PRI# cap ASP type asp-drop all
ASA-01-RO-PRI# packet-tracer input inside icmp 172.16.6.4 0 0 192.168.1.101
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.6.0_24 NETWORK_OBJ_172.16.6.0_24 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.1.101/0 to 192.168.1.101/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI# sh capture asp-drop
0 packet captured
0 packet shown
ASA-01-RO-PRI# sh asp drop
Frame drop:
Flow is being freed (flow-being-freed) 154
Invalid encapsulation (invalid-encap) 146258
Unsupported IP version (unsupported-ip-version) 3
Invalid IP length (invalid-ip-length) 8
Invalid TCP Length (invalid-tcp-hdr-length) 3
Invalid UDP Length (invalid-udp-length) 2
No valid adjacency (no-adjacency) 621
No route to host (no-route) 2098726
Flow is denied by configured rule (acl-drop) 8195787
First TCP packet not SYN (tcp-not-syn) 5730134
Bad TCP flags (bad-tcp-flags) 653
TCP Dual open denied (tcp-dual-open) 10
TCP data send after FIN (tcp-data-past-fin) 14
TCP failed 3 way handshake (tcp-3whs-failed) 41673
TCP RST/FIN out of order (tcp-rstfin-ooo) 688536
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 52884
TCP SYNACK on established conn (tcp-synack-ooo) 2090
TCP packet SEQ past window (tcp-seq-past-win) 35317
TCP invalid ACK (tcp-invalid-ack) 19686
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 139
TCP Out-of-Order packet buffer full (tcp-buffer-full) 636
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1698
TCP RST/SYN in window (tcp-rst-syn-in-win) 6600
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 799
TCP packet failed PAWS test (tcp-paws-fail) 6510
CTM returned error (ctm-error) 48
Slowpath security checks failed (sp-security-failed) 19594956
Expired flow (flow-expired) 15
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 676
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 13756
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 20
DNS Inspect invalid packet (inspect-dns-invalid-pak) 1277
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 195
DNS Inspect id not matched (inspect-dns-id-not-matched) 2234028
FP L2 rule drop (l2_acl) 59047
Interface is down (interface-down) 175
Dropped pending packets in a closed socket (np-socket-closed) 17845
NAT unassigned pool in cluster (nat-cluster-unassigned-pool) 76
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 10
Flow is denied by access rule (acl-drop) 4163666
Inspection failure (inspect-fail) 82714
SSL bad record detected (ssl-bad-record-detect) 219
SSL handshake failed (ssl-handshake-failed) 1178
SSL malloc error (ssl-malloc-error) 48
Last clearing: Never
ASA-01-RO-PRI#
ASA-01-RO-PRI# show capture
capture ASP type asp-drop all [Buffer Full - 524239 bytes]
capture asp-drop type raw-data [Capturing - 0 bytes]
ASA-01-RO-PRI#
ASA-01-RO-PRI# show cap ASP | include 172.16.15
1: 16:59:26.957836 172.16.15.6.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
2: 16:59:28.384913 172.16.15.7.4554 > 172.16.15.127.4554: udp 166 Drop-reason: (sp-security-failed) Slowpath security checks failed
4: 16:59:33.442604 172.16.15.5.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
6: 16:59:36.967906 172.16.15.6.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
7: 16:59:38.395655 172.16.15.7.4554 > 172.16.15.127.4554: udp 166 Drop-reason: (sp-security-failed) Slowpath security checks failed
10: 16:59:43.452002 172.16.15.5.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
11: 16:59:46.978144 172.16.15.6.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
12: 16:59:48.405008 172.16.15.7.4554 > 172.16.15.127.4554: udp 166 Drop-reason: (sp-security-failed) Slowpath security checks failed
14: 16:59:53.463202 172.16.15.5.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
17: 16:59:56.988016 172.16.15.6.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
18: 16:59:58.415566 172.16.15.7.4554 > 172.16.15.127.4554: udp 166 Drop-reason: (sp-security-failed) Slowpath security checks failed
20: 17:00:03.472448 172.16.15.5.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
24: 17:00:06.999048 172.16.15.6.4554 > 172.16.15.127.4554: udp 167 Drop-reason: (sp-security-failed) Slowpath security checks failed
76: 17:00:08.424950 172.16.15.7.4554 > 172.16.15.127.4554: udp 166
83: 17:00:13.483007 172.16.15.5.4554 > 172.16.15.127.4554: udp 167
85: 17:00:17.007857 172.16.15.6.4554 > 172.16.15.127.4554: udp 167
86: 17:00:18.435875 172.16.15.7.4554 > 172.16.15.127.4554: udp 166
88: 17:00:23.492543 172.16.15.5.4554 > 172.16.15.127.4554: udp 167
89: 17:00:27.017882 172.16.15.6.4554 > 172.16.15.127.4554: udp 167

Hello,

First add inspection of ICMP on Site-A.

policy-map global_policy
 class inspection_default
  inspect icmp

Then i see some strange stuff happening.

SiteA uses the 172.16.x.x <- clarify
SiteB has the IP range of 192.168.1.x. < /24 net?

nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.6.0_24 NETWORK_OBJ_172.16.6.0_24 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
access-list OUTSIDE_cryptomap extended permit ip 172.16.15.0 255.255.255.128 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.15.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
ASA-01-RO-PRI# packet-tracer input inside icmp 172.16.6.4 0 0 192.168.1.101

Your crypto-acl will not match your packet-tracer with above in consideration.

What exactly are your networks that need to traverse tunnel?

//Cristian

Thanks

SiteB is indeed 192.168.1.x/24, and SiteA is 172.16.x.x, like so:

vlan 10 RO-Office 172.16.0.1 255.255.255.0
vlan 20 RO-Guest1 172.16.1.1 255.255.255.0
vlan 30 RO-RND 172.16.2.1 255.255.255.0
vlan 40 RO-Voice 172.16.3.1 255.255.255.0
vlan 50 RO-Guest2 172.16.4.1 255.255.255.0
vlan 60 RO-Automation 172.16.5.1 255.255.255.0
vlan 70 RO-IT 172.16.6.1 255.255.255.0
vlan 90 RO-Printers 172.16.7.1 255.255.255.224
vlan 100 RO-Servers 172.16.240.1 255.255.255.128

object network oOffice
range 172.16.0.1 172.16.0.254
object network oGuest1
range 172.16.1.1 172.16.1.254
object network oRND
range 172.16.2.1 172.16.2.254
object network oVoice
range 172.16.3.1 172.16.3.254
object network oGuest2
range 172.16.4.1 172.16.4.254
object network oAutomation
range 172.16.5.1 172.16.5.254
object network oIT
range 172.16.6.1 172.16.6.254
object network oPrinters
range 172.16.7.1 172.16.7.30
object network oMGMT
range 172.16.15.1 172.16.15.126

object network SiteB-Outside
host 217.100.x.y
object network SiteB-Inside
subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_172.16.15.0_25
subnet 172.16.15.0 255.255.255.128
object network NETWORK_OBJ_172.16.6.0_24
subnet 172.16.6.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.192_26
subnet 172.16.0.192 255.255.255.192

Nat rules: (I probably should remove the first and third)

nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.15.0_25 NETWORK_OBJ_172.16.15.0_25 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.6.0_24 NETWORK_OBJ_172.16.6.0_24 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_172.16.0.192_26 NETWORK_OBJ_172.16.0.192_26 no-proxy-arp route-lookup

My cryptomap rule was generated by the VPN wizard, and is not exactly the same as yours:

access-list OUTSIDE_cryptomap extended permit ip 172.16.15.0 255.255.255.128 object SiteB-Inside

I would like the hosts at SiteB to (at least) connect to SiteA networks 'RO-Office', 'RO-Guest2' and 'RO-Servers'
My own workstation is in the 'RO-IT' network, I would like to connect to hosts at 192.168.1.x

Hello,

Try this:

object-group network SITE-A_NETS
network-object object oOffice
network-object object oGuest1
network-object object oRND
network-object object oVoice
network-object object oGuest2
network-object object oAutomation
network-object object oIT
network-object object oPrinters
network-object object oMGMT
<add or remove as necessary>
object-group network SITE-B_NETS
network-object object SiteB-Inside
<add or remove as necessary>
access-list OUTSIDE_cryptomap extended permit ip object-group SITE-A_NETS object-group SITE-B_NETS
nat (INSIDE,OUTSIDE) 1 source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup

Then run these lines and post result:

packet-tracer input INSIDE icmp 172.16.6.4 8 0 192.168.1.101 detail
packet-tracer input OUTSIDE icmp 192.168.1.101 0 0 172.16.6.4 detail
show crypto isakmp sa
show crypto ipsec sa

PS: edit post for "object network SiteB-Outside" for security reasons.

//Cristian

Thanks. Cant try this right now, but I'll let you know what happens....

Hey,

Remember to adjust SITE-B ACL accordingly (had some troubles with miss-matching ACLs in the past).

//Cristian

Hi,

I've added both objectgroups, the acl and nat in the ASA at SiteA. 

ASA-01-RO-PRI# packet-tracer input INSIDE icmp 172.16.6.4 8 0 192.168.1.101 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff33a4af60, priority=1, domain=permit, deny=false
hits=7867538, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.1.101/0 to 192.168.1.101/0

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3363c920, priority=11, domain=permit, deny=true
hits=2701, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI# packet-tracer input OUTSIDE icmp 192.168.1.101 0 0 172.16.6.4 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff338790b0, priority=1, domain=permit, deny=false
hits=2081984318, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.6.0 255.255.255.0 RO-IT

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff34a52630, priority=11, domain=permit, deny=true
hits=2447638, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: RO-IT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 217.100.x.y
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
ASA-01-RO-PRI# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag: OUTSIDE_map, seq num: 1, local addr: 95.97.x.y

access-list OUTSIDE_cryptomap extended permit ip 172.16.15.0 255.255.255.128 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.15.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 217.100.x.y

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 95.97.x.y/0, remote crypto endpt.: 217.100.x.y/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 1CD9DDDB
current inbound spi : 6C324104

inbound esp sas:
spi: 0x6C324104 (1815232772)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8491008, crypto-map: OUTSIDE_map
sa timing: remaining key lifetime (sec): 27532
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1CD9DDDB (484040155)
transform: esp-aes-192 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8491008, crypto-map: OUTSIDE_map
sa timing: remaining key lifetime (sec): 27531
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

(I wanted to check the configuration at our office at SiteB, but it turns out they are closed now.)

//Barry

Hello,

You are still matching wrong network(s) in crypto-acl:

access-list OUTSIDE_cryptomap extended permit ip 172.16.15.0 255.255.255.128 192.168.1.0 255.255.255.0

Make that line inactive and try with:

access-list OUTSIDE_cryptomap extended permit ip object-group SITE-A_NETS object-group SITE-B_NETS

//Cristian

Hi Cristian,

I did indeed have two ACL's on the VPN traffic (derp), so I removed the old one. But packets still got dropped.

no access-list OUTSIDE_cryptomap extended permit ip 172.16.15.0 255.255.255.128 object SiteB-Inside

I've removed the old NAT rules, also with no effect.

no nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.15.0_25 NETWORK_OBJ_172.16.15.0_25 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
no nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_172.16.6.0_24 NETWORK_OBJ_172.16.6.0_24 destination static SiteB-Inside SiteB-Inside no-proxy-arp route-lookup
no nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_172.16.0.192_26 NETWORK_OBJ_172.16.0.192_26 no-proxy-arp route-lookup

At this point only the following remained:

access-list OUTSIDE_cryptomap extended permit ip object-group SITE-A_NETS object-group SITE-B_NETS
nat (INSIDE,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup

Then I started removing the connection profile from the ASDM GUI, and started removing old VPN configuration rules via CLI, like the group-policy and tunnel-group. Then re-adding the vpn-related rules. That did not work either. So I removed them again, and used the ASDM site-to-site VPN wizard from scratch.

Still packets are dropped, and ASDM shows some scary logs:

(The logs show a connection attempt from the 172.209.68.x range, don't know what that is yet, it's not in my known network.)

ASA-01-RO-PRI# packet-tracer input INSIDE icmp 172.16.6.4 8 0 192.168.1.101 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff33a4af60, priority=1, domain=permit, deny=false
hits=7940115, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.1.101/0 to 192.168.1.101/0

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3363c920, priority=11, domain=permit, deny=true
hits=2706, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI# packet-tracer input OUTSIDE icmp 192.168.1.101 0 0 172.16.6.4 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff338790b0, priority=1, domain=permit, deny=false
hits=2096495165, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.6.0 255.255.255.0 RO-IT

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff34a52630, priority=11, domain=permit, deny=true
hits=2462321, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: RO-IT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA-01-RO-PRI# show crypto ipsec sa
There are no ipsec sas

After deleting the old NAT rules, the IKA SAs vanished too! And did not come back after configuring the vpn wizard again.
//Barry

Hello,

Please note the NAT:

nat (INSIDE,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup

That says INSIDE, it may or may not work as required to change that into:

(Your output interface in last packet-tracer is RO-IT)

nat (any,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup

I have never tried the any input myself.

Your RO-IT interface is in the 172.16.4.4 net?

//Cristian

Hi, I've changed the NAT-rule, but no luck yet.

The RO-IT interface is the one I'm using for configuring and testing, which is on the 172.16.6.1 net.

The 172.16.4.x net is one of the Guest networks (oGuest2).

Both networks are added to 'SITE-A_NETS'.

ASA-01-RO-PRI(config)# packet-tracer input INSIDE icmp 172.16.6.4 8 0 192.168.1.101 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff33a4af60, priority=1, domain=permit, deny=false
hits=7989021, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.1.101/0 to 192.168.1.101/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3363c920, priority=11, domain=permit, deny=true
hits=2707, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI(config)# packet-tracer input OUTSIDE icmp 192.168.1.101 0 0 172.16.6.4 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff338790b0, priority=1, domain=permit, deny=false
hits=2100107907, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.6.0 255.255.255.0 RO-IT
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,OUTSIDE) source static SITE-A_NETS SITE-A_NETS destination static SITE-B_NETS SITE-B_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface RO-IT
Untranslate 172.16.6.4/0 to 172.16.6.4/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff34a52630, priority=11, domain=permit, deny=true
hits=2465833, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: RO-IT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01-RO-PRI(config)#
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: