Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN Traffic

I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic.  When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.

I've never had this issue on a 5505 o5 5510 before and I've tried everything I could possibly think of.  Anyone out there have any ideas?

5 REPLIES
Hall of Fame Super Silver

ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN Tra

The config would help.

I'd expect a crypto map (which is applied to an interface) to match addresses (source-destination) as specified in an access-list.

New Member

ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN Tra

Thanks, I'll grab the config and upload it as soon as I get back to my office!

New Member

ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN Tra

Here's my config. I hope I got it cleaned of any potential dangers!

ASA Version 8.2(5)

!

hostname asa5510

domain-name ntfamily.com

names

name 10.11.100.0 Triggerfish description Triggerfish

name 192.168.200.254 Default-LAN-Gateway description Voice Gateway - PtP Router

name 192.168.202.0 ADA-Network description 909 Felix

name 192.168.204.0 Cameron-Network description 101 W 3rd Ave

name 192.168.203.0 Maryville-Network description 109 E Summit Drive

name 192.168.205.0 Colgan-Network description 3400 Frederick

name 192.168.206.0 FamilyPlanning-Network description 1332 N 36th St

name 192.168.200.253 Barracuda description Barracuda Filter

name 192.168.200.7 Exchange description Exchange Server

name 192.168.200.29 Video-1 description Video 1

name 192.168.201.250 Citrix-New description Citrix New

name 192.168.201.15 Security-Server description Security Server

name 192.168.203.29 Video-2 description Video 2

name XXX.XXX.XXX.131 WAN-131 description XXX.XXX.XXX.131

name XXX.XXX.XXX.132 WAN-132 description XXX.XXX.XXX.132

name XXX.XXX.XXX.133 WAN-133 description XXX.XXX.XXX.133

name XXX.XXX.XXX.134 WAN-134 description XXX.XXX.XXX.134

name XXX.XXX.XXX.135 WAN-135 description XXX.XXX.XXX.135

name XXX.XXX.XXX.136 WAN-136 description XXX.XXX.XXX.136

name XXX.XXX.XXX.137 WAN-137 description XXX.XXX.XXX.137

name XXX.XXX.XXX.138 WAN-138 description XXX.XXX.XXX.138

name XXX.XXX.XXX.139 WAN-139 description XXX.XXX.XXX.139

name XXX.XXX.XXX.140 WAN-140 description XXX.XXX.XXX.140

name XXX.XXX.XXX.141 WAN-141 description XXX.XXX.XXX.141

name XXX.XXX.XXX.142 WAN-142 description XXX.XXX.XXX.142

name 192.168.204.29 Video-3 description Video 3

name 172.18.5.64 NHS description NHS LAN

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.201.254 255.255.254.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name ntfamily.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Inside-Networks

description Networks behind the firewall

network-object 192.168.200.0 255.255.254.0

network-object ADA-Network 255.255.255.0

network-object Colgan-Network 255.255.255.0

network-object FamilyPlanning-Network 255.255.255.0

network-object NHS 255.255.255.240

object-group service terminal-services tcp

description Windows Terminal Services

port-object eq 3389

object-group service DM_INLINE_TCP_0 tcp

port-object eq www

port-object eq https

port-object eq citrix-ica

group-object terminal-services

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit ip any host WAN-136

access-list outside_access_in extended permit ip any host WAN-135

access-list outside_access_in extended permit tcp any host WAN-133 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host WAN-132 object-group DM_INLINE_TCP_0

access-list outside_access_in extended permit tcp any host WAN-131 eq smtp

access-list outside_access_in extended permit icmp any interface outside

access-list outside_access_in extended permit ip any host WAN-134

access-list inside_nat0_outbound extended permit ip object-group Inside-Networks 192.168.208.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.255.0 object-group Inside-Networks

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.254.0 Maryville-Network 255.255.255.0

access-list inside_nat0_outbound extended permit ip Maryville-Network 255.255.255.0 192.168.200.0 255.255.254.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit icmp any any

access-list inside_nat0_outbound_3 extended permit ip 192.168.200.0 255.255.254.0 Maryville-Network 255.255.255.0

access-list inside_nat0_outbound_3 extended permit ip object-group Inside-Networks 192.168.208.0 255.255.255.0

access-list inside_nat0_outbound_3 extended permit ip 192.168.208.0 255.255.255.0 object-group Inside-Networks

access-list inside_nat0_outbound_3 extended permit ip Maryville-Network 255.255.255.0 192.168.200.0 255.255.254.0

access-list outside_access_out extended permit ip XXX.XXX.XXX.128 255.255.255.240 any

access-list FG-Users_splitTunnelAcl_1 standard permit NHS 255.255.255.240

access-list FG-Users_splitTunnelAcl_1 standard permit 192.168.200.0 255.255.254.0

access-list FG-Users_splitTunnelAcl_1 standard permit ADA-Network 255.255.255.0

access-list FG-Users_splitTunnelAcl_1 standard permit Maryville-Network 255.255.255.0

access-list FG-Users_splitTunnelAcl_1 standard permit Cameron-Network 255.255.255.0

access-list FG-Users_splitTunnelAcl_1 standard permit Colgan-Network 255.255.255.0

access-list FG-Users_splitTunnelAcl_1 standard permit FamilyPlanning-Network 255.255.255.0

access-list MaryvilleL2L standard permit Maryville-Network 255.255.255.0

access-list MaryvilleL2L standard permit 192.168.200.0 255.255.254.0

access-list outside_cryptomap extended permit ip 192.168.200.0 255.255.254.0 Maryville-Network 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool new-vpn 192.168.208.1-192.168.208.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-643.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_3

nat (inside) 0 access-list inside_nat0_outbound outside

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) WAN-131 Barracuda netmask 255.255.255.255

static (inside,outside) WAN-132 Citrix-New netmask 255.255.255.255

static (inside,outside) WAN-133 Exchange netmask 255.255.255.255

static (inside,outside) WAN-135 Video-2 netmask 255.255.255.255

static (inside,outside) WAN-136 Video-3 netmask 255.255.255.255

static (inside,outside) WAN-134 Video-1 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1

route inside Triggerfish 255.255.255.0 Default-LAN-Gateway 1

route inside NHS 255.255.255.240 Default-LAN-Gateway 1

route inside ADA-Network 255.255.255.0 Default-LAN-Gateway 1

route inside Colgan-Network 255.255.255.0 Default-LAN-Gateway 1

route inside FamilyPlanning-Network 255.255.255.0 Default-LAN-Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http redirect inside 80

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer XXX.XXX.XXX.117

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=asa5510

proxy-ldc-issuer

crl configure

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 60

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcprelay timeout 60

!

phone-proxy asdm_phone_proxy

tftp-server address 192.168.201.11 interface inside

tftp-server address 192.168.201.10 interface inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server Default-LAN-Gateway source inside prefer

webvpn

svc image disk0:/anyconnect-wince-ARMv4I-2.5.3055-k9.pkg 1 regex "Windows CE"

svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 2 regex "Linux"

svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 4 regex "Windows NT"

group-policy FG-Users internal

group-policy FG-Users attributes

dns-server value 192.168.200.1 192.168.200.2

vpn-simultaneous-logins 100

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

password-storage enable

pfs disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value FG-Users_splitTunnelAcl_1

default-domain value ntfamily.com

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-idle-timeout 30

vpn-filter value MaryvilleL2L

vpn-tunnel-protocol IPSec

vpn-simultaneous-logins 100

tunnel-group FG-Users type remote-access

tunnel-group FG-Users general-attributes

address-pool new-vpn

default-group-policy FG-Users

tunnel-group FG-Users ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

tunnel-group XXX.XXX.XXX.117 type ipsec-l2l

tunnel-group XXX.XXX.XXX.117 general-attributes

default-group-policy GroupPolicy1

tunnel-group XXX.XXX.XXX.117 ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ffceb52a2d0e934c992a16664f99cb87

: end

New Member

ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN Tra

Can anyone out there help me with this?  I'm still having the same issue.

Hall of Fame Super Silver

ASA 5510 Implicit Deny Access Rule Blocking Site-to-Site VPN Tra

Is the source that is being blocked included in either the "access-list inside_nat0_outbound_3" or "access-list inside_nat0_outbound" NAT exemption?

4568
Views
0
Helpful
5
Replies
CreatePlease to create content