Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AWS gateway to ASA, tunnel dropping new IP range

Hi Folks,

We have a vpn tunnel from our Amazon AWS footprint to our ASA 5500 which currently sends traffic from our AWS servers in 10.200.12.0/24 to our on premise network, there's also a 172.27.1.0/24 in the ACLs and crypto maps which works but is no longer used.

I am trying to add a new range, 172.31.1.0/24 which is a partner network out a different tunnel (terminating at another CI) and is distributed through the network via OSPF.  This works fine on-premise, our production on-premise LAN can see this great, but the ASA is dropping traffic bound for 172.31.1.0/24 at this end (v the AWS end) of the tunnel, the behaviour looks similar to when crypto ACLs don't match between VPN devices.

DevFW01# packet-tracer input outside tcp 10.200.12.50 1024 172.31.1.2 443 deta$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7380fb88, priority=1, domain=permit, deny=false
        hits=17899775449, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.31.1.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any any log debugging
object-group protocol DM_INLINE_PROTOCOL_10
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x73a72398, priority=13, domain=permit, deny=false
        hits=4530380, user_data=0x6f640280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x73813890, priority=0, domain=inspect-ip-options, deny=true
        hits=2031225907, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x743beb60, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=14438926, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7384af18, priority=0, domain=inspect-ip-options, deny=true
        hits=305412231, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0x74fd3f68, priority=70, domain=encrypt, deny=false
        hits=3, user_data=0x0, cs_id=0x74405548, reverse, flags=0x0, protocol=0
        src ip/id=172.31.1.0, mask=255.255.255.0, port=0
        dst ip/id=10.200.0.0, mask=255.255.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I'd normally expect to see this if ACLs don't match, but the crypto map shows the new range correctly.  Also the AWS side has correct ACL rules that allow this and correct routes (otherwise the traffic wouldn't enter the tunnel right?)

 

Any thoughts?

 

Everyone's tags (3)
647
Views
0
Helpful
0
Replies
CreatePlease to create content