10-30-2013 10:56 PM - edited 03-11-2019 07:58 PM
Hi guys,
I tried to simulate ASA with 3 interface (inside=Sec.L.100; outside=sec.L 0; internet; sec.L=0). I configured ipsec remote access vpn (ikev1). what i tried to achieved is for the internet client to access the outside network.
using the PC at the internet interface side, i connected via cisco vpn client. i established the connection but can't access the network on the outside interface..
hope you can help me on this. thanks in advance.
config:
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU2x encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 20.x9.x.x NAS_IN
name x92.x68.x.x NAS_OUT
!
interface GigabitEthernet0
nameif management
security-level 0
ip address x0.x.x.x 255.255.255.0
!
interface GigabitEthernetx
nameif inside
security-level x00
ip address 20.x9.x.x 255.255.255.0
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address x92.x68.x.x 255.255.255.x28
!
interface GigabitEthernet3
nameif internet
security-level 0
ip address x72.x.x.x 255.255.255.0
!
interface GigabitEthernetx
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 20.x9.x.x 255.255.255.0
object network NAS
host 20.x9.x.x
object network NAS_OUTSIDE
host x92.x68.x50.x0
object network INSIDE_PAT
subnet 20.x9.x.0 255.255.255.0
object network INSIDE_NETWORK
subnet 20.x9.x.0 255.255.255.0
object network NAS_internet
host x72.x.x.x0
object network NETWORK_OBJ_x92.x68.20.0_28
subnet x92.x68.20.0 255.255.255.2x0
object network NETWORK_OBJ_x92.x68.x5.0_27
subnet x92.x68.x5.0 255.255.255.22x
object network FILESVR
host 20.x9.x.xx
object network FILESVR_OUT
host x92.x68.x50.xx
object network NETWORK_OBJ_x92.x68.x.0_27
subnet x92.x68.x.0 255.255.255.22x
object network NETWORK_OBJ_x92.x68.xx6.0_2x
subnet x92.x68.xx6.0 255.255.255.0
object-group network INTERNAL_LAN
network-object x92.x68.xx5.0 255.255.255.0
network-object x92.x68.xx6.0 255.255.255.0
network-object x92.x68.xx7.0 255.255.255.0
network-object x92.x68.xx8.0 255.255.255.0
network-object x92.x68.xx9.0 255.255.255.0
network-object x92.x68.x50.0 255.255.255.0
network-object x92.x68.x6x.0 255.255.255.0
network-object x92.x68.x62.0 255.255.255.0
object-group service SERVICES
object-group service SERVICES_ALLOWED
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp6 echo
service-object icmp6 echo-reply
service-object tcp destination eq ftp
service-object tcp destination eq h323
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
access-list outside_access_in extended permit object-group SERVICES_ALLOWED object-group INTERNAL_LAN object NAS
access-list outside_access_in extended permit ip any any inactive
access-list vpn_remote_splitTunnelAcl standard permit x92.x68.xx6.0 255.255.255.0
pager lines 2x
mtu management x500
mtu inside x500
mtu outside x500
mtu internet x500
icmp unreachable rate-limit x burst-size x
asdm image disk0:/asdm-6x7.bin
no asdm history enable
arp timeout xxx00
nat (inside,outside) source static NAS NAS_OUTSIDE destination static INTERNAL_LAN INTERNAL_LAN
nat (inside,outside) source static FILESVR FILESVR_OUT destination static INTERNAL_LAN INTERNAL_LAN
access-group outside_access_in in interface outside
!
router rip
network x92.x68.xx5.0
network x92.x68.xx6.0
network x92.x68.xx7.0
network x92.x68.xx9.0
network x92.x68.x50.0
network x92.x68.x60.0
network x92.x68.x62.0
!
route internet 0.0.0.0 0.0.0.0 x72.x.x.2 x
timeout xlate 3:00:00
timeout conn x:00:00 half-closed 0:x0:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:x0:00 h323 0:05:00 h225 x:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:0x:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http x0.x.x.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUjxQsXsuK7 encrypted privilege x5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 5x2
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-x
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:cx9c68xxf9a703xae7aacfx33b37f36f
: end
ciscoasa# SHO RUN
: Saved
:
ASA Version 8.x(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU2x encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 20.x9.x.x0 NAS_IN
name x92.x68.x50.x0 NAS_OUT
!
interface GigabitEthernet0
nameif management
security-level 0
ip address x0.x.x.x 255.255.255.0
!
interface GigabitEthernetx
nameif inside
security-level x00
ip address 20.x9.x.250 255.255.255.0
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address x92.x68.x50.5 255.255.255.x28
!
interface GigabitEthernet3
nameif internet
security-level 0
ip address x72.x.x.x 255.255.255.0
!
interface GigabitEthernetx
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 20.x9.x.0 255.255.255.0
object network NAS
host 20.x9.x.x0
object network NAS_OUTSIDE
host x92.x68.x50.x0
object network INSIDE_PAT
subnet 20.x9.x.0 255.255.255.0
object network INSIDE_NETWORK
subnet 20.x9.x.0 255.255.255.0
object network NAS_internet
host x72.x.x.x0
object network NETWORK_OBJ_x92.x68.20.0_28
subnet x92.x68.20.0 255.255.255.2x0
object network NETWORK_OBJ_x92.x68.x5.0_27
subnet x92.x68.x5.0 255.255.255.22x
object network FILESVR
host 20.x9.x.xx
object network FILESVR_OUT
host x92.x68.x50.xx
object network NETWORK_OBJ_x92.x68.x.0_27
subnet x92.x68.x.0 255.255.255.22x
object network NETWORK_OBJ_x92.x68.xx6.0_2x
subnet x92.x68.xx6.0 255.255.255.0
object network NETWORK_OBJ_x92.x68.x0.0_28
subnet x92.x68.x0.0 255.255.255.2x0
object-group network INTERNAL_LAN
network-object x92.x68.xx5.0 255.255.255.0
network-object x92.x68.xx6.0 255.255.255.0
network-object x92.x68.xx7.0 255.255.255.0
network-object x92.x68.xx8.0 255.255.255.0
network-object x92.x68.xx9.0 255.255.255.0
network-object x92.x68.x50.0 255.255.255.0
network-object x92.x68.x6x.0 255.255.255.0
network-object x92.x68.x62.0 255.255.255.0
object-group service SERVICES
object-group service SERVICES_ALLOWED
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp6 echo
service-object icmp6 echo-reply
service-object tcp destination eq ftp
service-object tcp destination eq h323
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
access-list outside_access_in extended permit object-group SERVICES_ALLOWED object-group INTERNAL_LAN object NAS
access-list outside_access_in extended permit ip any any inactive
access-list vpn_remote_splitTunnelAcl standard permit x92.x68.xx6.0 255.255.255.0
access-list internet_access_in extended permit ip any any
pager lines 2x
mtu management x500
mtu inside x500
mtu outside x500
mtu internet x500
ip local pool ippool x92.x68.x0.x-x92.x68.x0.x0 mask 255.255.255.0
icmp unreachable rate-limit x burst-size x
asdm image disk0:/asdm-6x7.bin
no asdm history enable
arp timeout xxx00
nat (inside,outside) source static NAS NAS_OUTSIDE destination static INTERNAL_LAN INTERNAL_LAN
nat (inside,outside) source static FILESVR FILESVR_OUT destination static INTERNAL_LAN INTERNAL_LAN
nat (outside,internet) source static any any destination static NETWORK_OBJ_x92.x68.x0.0_28 NETWORK_OBJ_x92.x68.x0.0_28 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group internet_access_in in interface internet
!
router rip
network x92.x68.xx5.0
network x92.x68.xx6.0
network x92.x68.xx7.0
network x92.x68.xx9.0
network x92.x68.x50.0
network x92.x68.x60.0
network x92.x68.x62.0
!
route internet 0.0.0.0 0.0.0.0 x72.x.x.2 x
timeout xlate 3:00:00
timeout conn x:00:00 half-closed 0:x0:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:x0:00 h323 0:05:00 h225 x:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:0x:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http x0.x.x.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikevx transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikevx transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikevx transform-set ESP-DES-SHA ESP-DES-MD5
crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet_map interface internet
crypto ikevx enable internet
crypto ikevx policy x30
authentication crack
encryption des
hash sha
group 2
lifetime 86x00
crypto ikevx policy xx0
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86x00
crypto ikevx policy x50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86x00
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn_remote internal
group-policy vpn_remote attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikevx
username admin password f3UhLvUjxQsXsuK7 encrypted privilege x5
username vpnuser password VI6esudcaYexYjxN encrypted privilege 0
username vpnuser attributes
vpn-group-policy vpn_remote
tunnel-group vpn_remote type remote-access
tunnel-group vpn_remote general-attributes
address-pool ippool
default-group-policy vpn_remote
tunnel-group vpn_remote ipsec-attributes
ikevx pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 5x2
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
Solved! Go to Solution.
11-05-2013 12:06 AM
Regardless of the spoof drop, it seems to be allowed from the VPN client to the outside interface. It would also be good to do the trace in the reverse direction also as Mashal has mentioned.
The next thing to do would be to start a packet capture between the internet and outside interface. You wont see any traffic coming in on the internet interface as this will be encrypted. But as long as traffic that is leaving the outside interface is not being encrypted we will see the traffic leave and the reply enter the outside interface.
Here is a link that shows how to perform the packet capture incase you haven't done it before.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
11-05-2013 03:19 AM
This is routing issue from the subnet (192.168.145.x) back to the VPN pool.
Please verify the routing at the internet subnet so that the return traffic comes to the outside interface of the ASA .
Regards.
----
Mashal Shboul
11-04-2013 12:56 AM
Are there two ASAs involved or is that a copy paste fault?
Are you trying to connect using HTTP, HTTPS...etc.?
Have you run a packet tracer (I am assuming your VPN clients are on the 192.168.10.x network)?
packet-tracer input internet tcp 192.168.10.1 12345
My initial guess is that this is most likely a NAT or routing issue.
11-04-2013 12:58 AM
Also, just out of curiosity, why did you do a replace all on the 1s?
11-04-2013 02:39 AM
Hi Mr. Marius,
thank you for your reply.
yes, vpn is at 192.168.10.x subnet. I created the vpn thru the wizard. and nat is automatically created..
nat (outside,internet) source static any any destination static NETWORK_OBJ_x92.x68.x0.0_28 NETWORK_OBJ_x92.x68.x0.0_28 no-proxy-arp route-lookup
actually, i first created ipsec vpn in a way for the internet client to access the inside network. and it works fine. then i removed the ipsec vpn config. then created another scenario where in the internet client can access the outside network. but the access from internet to outside failed.
oops. sorry for the copy/paste error. +
hope you can help me for the troubleshooting.
thank you.
Jay
11-04-2013 05:42 AM
Did you run the packet tracer...what were the results?
Is this in a lab? if you add the command management-access oustide are you able to ping the ASA outside interface from the VPN client located through the internet interface?
Just rememeber to remove the management-access outisde command once you are done testing
11-04-2013 10:38 PM
Hi Mr. Mashal and Marius,
i tried to use the packet tracer command as advise and here is the result.
ciscoasa# packet-tracer input internet tcp 192.168.10.1 12345 192.168.145.100 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.145.0 255.255.255.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,internet) source static any any destination static NETWORK_OBJ_192.168.10.0_28 NETWORK_OBJ_192.168.10.0_28 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.145.100/80 to 192.168.145.100/80
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,internet) source static any any destination static NETWORK_OBJ_192.168.10.0_28 NETWORK_OBJ_192.168.10.0_28 no-proxy-arp route-lookup
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: internet
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected.
is this a routing issue?
thank you.
11-04-2013 08:19 AM
Hi Jason,
I would start with the following:
- packet-tracer from the outside to the VPN pool ( as we cannot simulate packet from a VPN tunnel in packet-tracer)
packet-tracer input outside icmp
packet-tracer input outside tcp
- show crypto ipsec sa, and check encaps/decaps. You have a tunnel-all policy, so you may need to make a spli-tunnel tunnelspecified policy so that you restric the intersting traffic (VPN-to-outside) and trace its encaps/decaps properly.
- captures at the outside interface for the VPN-to-outside flow:
cap capout interface outside match ip
i am wondering if the hosts at the outside subnet have a correct route that points to the ASA as a next-hop to reach the vpn pool ... ?
Hope this helps.
--
Mashal Shboul
11-04-2013 10:52 PM
hi sir,
here's the result:
ciscoasa# sho crypto ipsec sa
interface: internet
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 172.1.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0)
current_peer: 203.1.1.10, username: vpnuser
dynamic allocated peer ip: 192.168.10.1
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 141, #pkts decrypt: 141, #pkts verify: 141
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.1.1.1/0, remote crypto endpt.: 203.1.1.10/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1EFAE9E8
current inbound spi : 9B85A5B2
inbound esp sas:
spi: 0x9B85A5B2 (2609227186)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26868
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1EFAE9E8 (519760360)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26868
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
11-04-2013 11:16 PM
Hi Jason,
I am not sure if you source and destination IPs in the packet-tracer are correct. Please don't use the VPN pool as source in the packet-tracer, this will normally result in ipsec-spoof error.
Please do a similar packet tracer FROM an IP in the outside interface that should be reachable thru the tunnel TO an a pool IP that belongs to the test VPN client (i guess it is 192.168.10.1)
Regards.
--
Mashal Shboul
11-05-2013 12:06 AM
Regardless of the spoof drop, it seems to be allowed from the VPN client to the outside interface. It would also be good to do the trace in the reverse direction also as Mashal has mentioned.
The next thing to do would be to start a packet capture between the internet and outside interface. You wont see any traffic coming in on the internet interface as this will be encrypted. But as long as traffic that is leaving the outside interface is not being encrypted we will see the traffic leave and the reply enter the outside interface.
Here is a link that shows how to perform the packet capture incase you haven't done it before.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
11-05-2013 02:24 AM
here's the packet capture as instructed.
ingress interface: internet
capture is empty.
egress int: outside
as with the output it seems it has no reply.
i also tried the packet tracer from an ip located on the outside to the ip of the ip vpn pool (client). and here's the result.
ciscoasa# packet-tracer input outside icmp 192.168.145.100 8 0 1 192.168.10.1 $
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc982f50, priority=13, domain=capture, deny=false
hits=13927, user_data=0xbc982e90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc1468f8, priority=1, domain=permit, deny=false
hits=16, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.1 255.255.255.255 internet
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc191f58, priority=11, domain=permit, deny=true
hits=3, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: internet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
*******with this result i configured acl with this:
access-list outside_access_in extended permit ip any any
and the result:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc982f50, priority=13, domain=capture, deny=false
hits=14229, user_data=0xbc982e90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc1468f8, priority=1, domain=permit, deny=false
hits=18, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.1 255.255.255.255 internet
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc8f9200, priority=13, domain=permit, deny=false
hits=1, user_data=0xb9464b20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc14a778, priority=0, domain=inspect-ip-options, deny=true
hits=490, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc7148d8, priority=70, domain=inspect-icmp, deny=false
hits=2, user_data=0xbc713368, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbc14a350, priority=66, domain=inspect-icmp-error, deny=false
hits=2, user_data=0xbc149968, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,internet) source static any any destination static NETWORK_OBJ_192.168.10.0_28 NETWORK_OBJ_192.168.10.0_28 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.145.100/1 to 192.168.145.100/1
Forward Flow based lookup yields rule:
in id=0xbc998178, priority=6, domain=nat, deny=false
hits=2, user_data=0xbc997ad8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.10.0, mask=255.255.255.240, port=0, dscp=0x0
input_ifc=outside, output_ifc=internet
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xbc916df0, priority=70, domain=encrypt, deny=false
hits=575, user_data=0x3d74, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.10.1, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=any, output_ifc=internet
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xbc95f178, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=574, user_data=0x4994, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.1, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=internet, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xbc16e488, priority=0, domain=inspect-ip-options, deny=true
hits=739, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=internet, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1009, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: internet
output-status: up
output-line-status: up
Action: allow
wish to figure out on how we can allow the access.
11-05-2013 02:57 AM
with the IP any any on the interface can the VPN user access the outside network?
are the VPN users on the internet supposed to be able to have full access to the outside network? In that case you could just add an ACL rule permitting the outside network to initiate traffic to the VPN users.
VPN users do not pass an ACL check so their connection is not entered into the state table and therefore return traffic is not permitted.
11-05-2013 03:19 AM
This is routing issue from the subnet (192.168.145.x) back to the VPN pool.
Please verify the routing at the internet subnet so that the return traffic comes to the outside interface of the ASA .
Regards.
----
Mashal Shboul
11-05-2013 05:16 PM
hi guys,
it's on the routing issue. i successfully established connection after adding static route to router located on outside int.
thank you very much for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide