Solved: IP Sec remote access vpn can't access outside network

Jayzone_pl · ‎10-30-2013

Hi guys,

I tried to simulate ASA with 3 interface (inside=Sec.L.100; outside=sec.L 0; internet; sec.L=0). I configured ipsec remote access vpn (ikev1). what i tried to achieved is for the internet client to access the outside network.

using the PC at the internet interface side, i connected via cisco vpn client. i established the connection but can't access the network on the outside interface..

hope you can help me on this. thanks in advance.

config:

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU2x encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 20.x9.x.x NAS_IN

name x92.x68.x.x NAS_OUT

!

interface GigabitEthernet0

nameif management

security-level 0

ip address x0.x.x.x 255.255.255.0

!

interface GigabitEthernetx

nameif inside

security-level x00

ip address 20.x9.x.x 255.255.255.0

!

interface GigabitEthernet2

nameif outside

security-level 0

ip address x92.x68.x.x 255.255.255.x28

!

interface GigabitEthernet3

nameif internet

security-level 0

ip address x72.x.x.x 255.255.255.0

!

interface GigabitEthernetx

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE

subnet 20.x9.x.x 255.255.255.0

object network NAS

host 20.x9.x.x

object network NAS_OUTSIDE

host x92.x68.x50.x0

object network INSIDE_PAT

subnet 20.x9.x.0 255.255.255.0

object network INSIDE_NETWORK

subnet 20.x9.x.0 255.255.255.0

object network NAS_internet

host x72.x.x.x0

object network NETWORK_OBJ_x92.x68.20.0_28

subnet x92.x68.20.0 255.255.255.2x0

object network NETWORK_OBJ_x92.x68.x5.0_27

subnet x92.x68.x5.0 255.255.255.22x

object network FILESVR

host 20.x9.x.xx

object network FILESVR_OUT

host x92.x68.x50.xx

object network NETWORK_OBJ_x92.x68.x.0_27

subnet x92.x68.x.0 255.255.255.22x

object network NETWORK_OBJ_x92.x68.xx6.0_2x

subnet x92.x68.xx6.0 255.255.255.0

object-group network INTERNAL_LAN

network-object x92.x68.xx5.0 255.255.255.0

network-object x92.x68.xx6.0 255.255.255.0

network-object x92.x68.xx7.0 255.255.255.0

network-object x92.x68.xx8.0 255.255.255.0

network-object x92.x68.xx9.0 255.255.255.0

network-object x92.x68.x50.0 255.255.255.0

network-object x92.x68.x6x.0 255.255.255.0

network-object x92.x68.x62.0 255.255.255.0

object-group service SERVICES

object-group service SERVICES_ALLOWED

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object icmp6 echo

service-object icmp6 echo-reply

service-object tcp destination eq ftp

service-object tcp destination eq h323

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

access-list outside_access_in extended permit object-group SERVICES_ALLOWED object-group INTERNAL_LAN object NAS

access-list outside_access_in extended permit ip any any inactive

access-list vpn_remote_splitTunnelAcl standard permit x92.x68.xx6.0 255.255.255.0

pager lines 2x

mtu management x500

mtu inside x500

mtu outside x500

mtu internet x500

icmp unreachable rate-limit x burst-size x

asdm image disk0:/asdm-6x7.bin

no asdm history enable

arp timeout xxx00

nat (inside,outside) source static NAS NAS_OUTSIDE destination static INTERNAL_LAN INTERNAL_LAN

nat (inside,outside) source static FILESVR FILESVR_OUT destination static INTERNAL_LAN INTERNAL_LAN

access-group outside_access_in in interface outside

!

router rip

network x92.x68.xx5.0

network x92.x68.xx6.0

network x92.x68.xx7.0

network x92.x68.xx9.0

network x92.x68.x50.0

network x92.x68.x60.0

network x92.x68.x62.0

!

route internet 0.0.0.0 0.0.0.0 x72.x.x.2 x

timeout xlate 3:00:00

timeout conn x:00:00 half-closed 0:x0:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:x0:00 h323 0:05:00 h225 x:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:0x:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http x0.x.x.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password f3UhLvUjxQsXsuK7 encrypted privilege x5

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 5x2

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-x

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:cx9c68xxf9a703xae7aacfx33b37f36f

: end

ciscoasa# SHO RUN

: Saved

:

ASA Version 8.x(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU2x encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 20.x9.x.x0 NAS_IN

name x92.x68.x50.x0 NAS_OUT

!

interface GigabitEthernet0

nameif management

security-level 0

ip address x0.x.x.x 255.255.255.0

!

interface GigabitEthernetx

nameif inside

security-level x00

ip address 20.x9.x.250 255.255.255.0

!

interface GigabitEthernet2

nameif outside

security-level 0

ip address x92.x68.x50.5 255.255.255.x28

!

interface GigabitEthernet3

nameif internet

security-level 0

ip address x72.x.x.x 255.255.255.0

!

interface GigabitEthernetx

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE

subnet 20.x9.x.0 255.255.255.0

object network NAS

host 20.x9.x.x0

object network NAS_OUTSIDE

host x92.x68.x50.x0

object network INSIDE_PAT

subnet 20.x9.x.0 255.255.255.0

object network INSIDE_NETWORK

subnet 20.x9.x.0 255.255.255.0

object network NAS_internet

host x72.x.x.x0

object network NETWORK_OBJ_x92.x68.20.0_28

subnet x92.x68.20.0 255.255.255.2x0

object network NETWORK_OBJ_x92.x68.x5.0_27

subnet x92.x68.x5.0 255.255.255.22x

object network FILESVR

host 20.x9.x.xx

object network FILESVR_OUT

host x92.x68.x50.xx

object network NETWORK_OBJ_x92.x68.x.0_27

subnet x92.x68.x.0 255.255.255.22x

object network NETWORK_OBJ_x92.x68.xx6.0_2x

subnet x92.x68.xx6.0 255.255.255.0

object network NETWORK_OBJ_x92.x68.x0.0_28

subnet x92.x68.x0.0 255.255.255.2x0

object-group network INTERNAL_LAN

network-object x92.x68.xx5.0 255.255.255.0

network-object x92.x68.xx6.0 255.255.255.0

network-object x92.x68.xx7.0 255.255.255.0

network-object x92.x68.xx8.0 255.255.255.0

network-object x92.x68.xx9.0 255.255.255.0

network-object x92.x68.x50.0 255.255.255.0

network-object x92.x68.x6x.0 255.255.255.0

network-object x92.x68.x62.0 255.255.255.0

object-group service SERVICES

object-group service SERVICES_ALLOWED

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object icmp6 echo

service-object icmp6 echo-reply

service-object tcp destination eq ftp

service-object tcp destination eq h323

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

access-list outside_access_in extended permit object-group SERVICES_ALLOWED object-group INTERNAL_LAN object NAS

access-list outside_access_in extended permit ip any any inactive

access-list vpn_remote_splitTunnelAcl standard permit x92.x68.xx6.0 255.255.255.0

access-list internet_access_in extended permit ip any any

pager lines 2x

mtu management x500

mtu inside x500

mtu outside x500

mtu internet x500

ip local pool ippool x92.x68.x0.x-x92.x68.x0.x0 mask 255.255.255.0

icmp unreachable rate-limit x burst-size x

asdm image disk0:/asdm-6x7.bin

no asdm history enable

arp timeout xxx00

nat (inside,outside) source static NAS NAS_OUTSIDE destination static INTERNAL_LAN INTERNAL_LAN

nat (inside,outside) source static FILESVR FILESVR_OUT destination static INTERNAL_LAN INTERNAL_LAN

nat (outside,internet) source static any any destination static NETWORK_OBJ_x92.x68.x0.0_28 NETWORK_OBJ_x92.x68.x0.0_28 no-proxy-arp route-lookup

access-group outside_access_in in interface outside

access-group internet_access_in in interface internet

!

router rip

network x92.x68.xx5.0

network x92.x68.xx6.0

network x92.x68.xx7.0

network x92.x68.xx9.0

network x92.x68.x50.0

network x92.x68.x60.0

network x92.x68.x62.0

!

route internet 0.0.0.0 0.0.0.0 x72.x.x.2 x

timeout xlate 3:00:00

timeout conn x:00:00 half-closed 0:x0:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:x0:00 h323 0:05:00 h225 x:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:0x:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http x0.x.x.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikevx transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikevx transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikevx transform-set ESP-DES-SHA ESP-DES-MD5

crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map internet_map interface internet

crypto ikevx enable internet

crypto ikevx policy x30

authentication crack

encryption des

hash sha

group 2

lifetime 86x00

crypto ikevx policy xx0

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86x00

crypto ikevx policy x50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86x00

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpn_remote internal

group-policy vpn_remote attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikevx

username admin password f3UhLvUjxQsXsuK7 encrypted privilege x5

username vpnuser password VI6esudcaYexYjxN encrypted privilege 0

username vpnuser attributes

vpn-group-policy vpn_remote

tunnel-group vpn_remote type remote-access

tunnel-group vpn_remote general-attributes

address-pool ippool

default-group-policy vpn_remote

tunnel-group vpn_remote ipsec-attributes

ikevx pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 5x2

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

Marius Gunnerud · ‎11-05-2013

Regardless of the spoof drop, it seems to be allowed from the VPN client to the outside interface. It would also be good to do the trace in the reverse direction also as Mashal has mentioned.

The next thing to do would be to start a packet capture between the internet and outside interface. You wont see any traffic coming in on the internet interface as this will be encrypted. But as long as traffic that is leaving the outside interface is not being encrypted we will see the traffic leave and the reply enter the outside interface.

Here is a link that shows how to perform the packet capture incase you haven't done it before.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

malshbou · ‎11-05-2013

This is routing issue from the subnet (192.168.145.x) back to the VPN pool.

Please verify the routing at the internet subnet so that the return traffic comes to the outside interface of the ASA .

Regards.

----
Mashal Shboul

------------------ Mashal Shboul

View solution in original post

Marius Gunnerud · ‎11-04-2013

Are there two ASAs involved or is that a copy paste fault?

Are you trying to connect using HTTP, HTTPS...etc.?

Have you run a packet tracer (I am assuming your VPN clients are on the 192.168.10.x network)?

packet-tracer input internet tcp 192.168.10.1 12345 80 detail

My initial guess is that this is most likely a NAT or routing issue.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎11-04-2013

Also, just out of curiosity, why did you do a replace all on the 1s?

--
Please remember to select a correct answer and rate helpful posts

Jayzone_pl · ‎11-04-2013

Hi Mr. Marius,

thank you for your reply.

yes, vpn is at 192.168.10.x subnet. I created the vpn thru the wizard. and nat is automatically created..

nat (outside,internet) source static any any destination static NETWORK_OBJ_x92.x68.x0.0_28 NETWORK_OBJ_x92.x68.x0.0_28 no-proxy-arp route-lookup

actually, i first created ipsec vpn in a way for the internet client to access the inside network. and it works fine. then i removed the ipsec vpn config. then created another scenario where in the internet client can access the outside network. but the access from internet to outside failed.

oops. sorry for the copy/paste error. +

hope you can help me for the troubleshooting.

thank you.

Jay

Marius Gunnerud · ‎11-04-2013

Did you run the packet tracer...what were the results?

Is this in a lab? if you add the command management-access oustide are you able to ping the ASA outside interface from the VPN client located through the internet interface?

Just rememeber to remove the management-access outisde command once you are done testing

--
Please remember to select a correct answer and rate helpful posts

Jayzone_pl · ‎11-04-2013

Hi Mr. Mashal and Marius,

i tried to use the packet tracer command as advise and here is the result.

ciscoasa# packet-tracer input internet tcp 192.168.10.1 12345 192.168.145.100 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.145.0 255.255.255.0 outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (outside,internet) source static any any destination static NETWORK_OBJ_192.168.10.0_28 NETWORK_OBJ_192.168.10.0_28 no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.145.100/80 to 192.168.145.100/80

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (outside,internet) source static any any destination static NETWORK_OBJ_192.168.10.0_28 NETWORK_OBJ_192.168.10.0_28 no-proxy-arp route-lookup

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

input-interface: internet

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected.

is this a routing issue?

thank you.

malshbou · ‎11-04-2013

Hi Jason,

I would start with the following:

- packet-tracer from the outside to the VPN pool ( as we cannot simulate packet from a VPN tunnel in packet-tracer)

packet-tracer input outside icmp 8 0 detail

packet-tracer input outside tcp 80 1028 detail

- show crypto ipsec sa, and check encaps/decaps. You have a tunnel-all policy, so you may need to make a spli-tunnel tunnelspecified policy so that you restric the intersting traffic (VPN-to-outside) and trace its encaps/decaps properly.

- captures at the outside interface for the VPN-to-outside flow:

cap capout interface outside match ip

i am wondering if the hosts at the outside subnet have a correct route that points to the ASA as a next-hop to reach the vpn pool ... ?

Hope this helps.

--

Mashal Shboul

------------------ Mashal Shboul

Jayzone_pl · ‎11-04-2013

hi sir,

here's the result:

ciscoasa# sho crypto ipsec sa

interface: internet

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 172.1.1.1

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0)

current_peer: 203.1.1.10, username: vpnuser

dynamic allocated peer ip: 192.168.10.1

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 141, #pkts decrypt: 141, #pkts verify: 141

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 172.1.1.1/0, remote crypto endpt.: 203.1.1.10/0

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 1EFAE9E8

current inbound spi : 9B85A5B2

inbound esp sas:

spi: 0x9B85A5B2 (2609227186)

transform: esp-des esp-md5-hmac no compression

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 26868

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x1EFAE9E8 (519760360)

transform: esp-des esp-md5-hmac no compression

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 26868

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

malshbou · ‎11-04-2013

Hi Jason,

I am not sure if you source and destination IPs in the packet-tracer are correct. Please don't use the VPN pool as source in the packet-tracer, this will normally result in ipsec-spoof error.

Please do a similar packet tracer FROM an IP in the outside interface that should be reachable thru the tunnel TO an a pool IP that belongs to the test VPN client (i guess it is 192.168.10.1)

Regards.

--
Mashal Shboul

------------------ Mashal Shboul

Marius Gunnerud · ‎11-05-2013

Regardless of the spoof drop, it seems to be allowed from the VPN client to the outside interface. It would also be good to do the trace in the reverse direction also as Mashal has mentioned.

The next thing to do would be to start a packet capture between the internet and outside interface. You wont see any traffic coming in on the internet interface as this will be encrypted. But as long as traffic that is leaving the outside interface is not being encrypted we will see the traffic leave and the reply enter the outside interface.

Here is a link that shows how to perform the packet capture incase you haven't done it before.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

--
Please remember to select a correct answer and rate helpful posts

Jayzone_pl · ‎11-05-2013

here's the packet capture as instructed.

ingress interface: internet

capture is empty.

egress int: outside

1: 10:09:44.736946 192.168.10.1 > 192.168.145.100: icmp: echo request

2: 10:09:49.909758 192.168.10.1 > 192.168.145.100: icmp: echo request

3: 10:09:54.901106 192.168.10.1 > 192.168.145.100: icmp: echo request

as with the output it seems it has no reply.

i also tried the packet tracer from an ip located on the outside to the ip of the ip vpn pool (client). and here's the result.

ciscoasa# packet-tracer input outside icmp 192.168.145.100 8 0 1 192.168.10.1 $

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc982f50, priority=13, domain=capture, deny=false

hits=13927, user_data=0xbc982e90, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc1468f8, priority=1, domain=permit, deny=false

hits=16, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.10.1 255.255.255.255 internet

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc191f58, priority=11, domain=permit, deny=true

hits=3, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: internet

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

*******with this result i configured acl with this:

access-list outside_access_in extended permit ip any any

and the result:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc982f50, priority=13, domain=capture, deny=false

hits=14229, user_data=0xbc982e90, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc1468f8, priority=1, domain=permit, deny=false

hits=18, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.10.1 255.255.255.255 internet

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc8f9200, priority=13, domain=permit, deny=false

hits=1, user_data=0xb9464b20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc14a778, priority=0, domain=inspect-ip-options, deny=true

hits=490, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc7148d8, priority=70, domain=inspect-icmp, deny=false

hits=2, user_data=0xbc713368, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xbc14a350, priority=66, domain=inspect-icmp-error, deny=false

hits=2, user_data=0xbc149968, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside,internet) source static any any destination static NETWORK_OBJ_192.168.10.0_28 NETWORK_OBJ_192.168.10.0_28 no-proxy-arp route-lookup

Additional Information:

Static translate 192.168.145.100/1 to 192.168.145.100/1

Forward Flow based lookup yields rule:

in id=0xbc998178, priority=6, domain=nat, deny=false

hits=2, user_data=0xbc997ad8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=192.168.10.0, mask=255.255.255.240, port=0, dscp=0x0

input_ifc=outside, output_ifc=internet

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xbc916df0, priority=70, domain=encrypt, deny=false

hits=575, user_data=0x3d74, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=192.168.10.1, mask=255.255.255.255, port=0, dscp=0x0

input_ifc=any, output_ifc=internet

Phase: 10

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xbc95f178, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=574, user_data=0x4994, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=192.168.10.1, mask=255.255.255.255, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=internet, output_ifc=any

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xbc16e488, priority=0, domain=inspect-ip-options, deny=true

hits=739, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=internet, output_ifc=any

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1009, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: internet

output-status: up

output-line-status: up

Action: allow

wish to figure out on how we can allow the access.

Marius Gunnerud · ‎11-05-2013

with the IP any any on the interface can the VPN user access the outside network?

are the VPN users on the internet supposed to be able to have full access to the outside network? In that case you could just add an ACL rule permitting the outside network to initiate traffic to the VPN users.

VPN users do not pass an ACL check so their connection is not entered into the state table and therefore return traffic is not permitted.

--
Please remember to select a correct answer and rate helpful posts

malshbou · ‎11-05-2013

This is routing issue from the subnet (192.168.145.x) back to the VPN pool.

Please verify the routing at the internet subnet so that the return traffic comes to the outside interface of the ASA .

Regards.

----
Mashal Shboul

------------------ Mashal Shboul

Jayzone_pl · ‎11-05-2013

hi guys,

it's on the routing issue. i successfully established connection after adding static route to router located on outside int.

thank you very much for your help.