Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA not passing inside traffic though vpn.. can you spot the problem?

                   I am about to pull my hair out. I have a 1841 router at one end with 3 ASA's for teleworkers working great. I'm connecting a 4th one that I can not get to work for the life of me. The tunnel is comming up, but its not passing any traffic. I don't see any glaring errors in the VPN debug. The router comes up, reverse route injection does its thing... all looks great. Am I totally overlooking somthing? I must have rebuilt this a dozen times.

: ASA Version 8.2(1)
!
hostname ciscoasa104
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.104.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
! interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 192.168.2.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.104.0 255.255.255.0

object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.104.0 255.255.255.0
object-group DM_INLINE_NETWORK_1
access-list ACL_inbound extended permit icmp any any unreachable
access-list ACL_inbound extended permit icmp any any echo-reply
access-list ACL_inbound extended permit icmp any any time-exceeded
access-list ACL_inbound extended permit icmp any any source-quench
access-list ACL_inbound extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.104.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.104.5-192.168.104.36 inside
dhcpd auto_config outside vpnclient-wins-override interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global

Everyone's tags (1)
7 REPLIES
New Member

ASA not passing inside traffic though vpn.. can you spot the pro

Hello Neil,

I would say that the configuration looks fine! please do the following TShooting steps:

- Packet captures on the inside interface to make sure that traffic is reaching the Inside interface on its way to the remote subnet.

- Packet Tracer to see how packets behave.

Did you try to reboot?

Please check them and get back to us with the results.

AMatahen

New Member

ASA not passing inside traffic though vpn.. can you spot the pro

I did several packet traces, I did not find any that did not show that traffic was allowed. I won't be onsite to try the ASA for 3-4 days. I did reboot. I noticed the traffic counters did look like they where encoding/decoding packets. Yet nothing seemed to be working.

New Member

ASA not passing inside traffic though vpn.. can you spot the pro

Since it is showing that traffic encode/decode is increasing, I would say that you should check your traffic on the other peer, and check other peers traffic on your Firewall, since statistics are increasing, most probably the problem is not with your firewall.

AMatahen

ASA not passing inside traffic though vpn.. can you spot the pro

Hi Neil.

Please add these two routes on your ASA.

route outside 192.168.2.0 255.255.255.0 interface Vlan2
route outside 192.168.4.0 255.255.255.0 interface Vlan2

If that does not help, please post your router config as well.

thanks

New Member

ASA not passing inside traffic though vpn.. can you spot the pro

router config...

this one is messy. In a past life it was a P2P T1 and a did some NAT... I've not scrubbed all that config off. ACL #118 192.168.104.0/24 is the problem VPN. The others (101,102,103) all work fine.


!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect max-incomplete high 900
ip inspect max-incomplete low 800
ip inspect one-minute high 900
ip inspect one-minute low 800
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW ftps
ip inspect name SDM_LOW tcp alert on audit-trail off
ip inspect name SDM_LOW udp alert on audit-trail off
!
!
ip ips sdf location flash://128MB.sdf
ip ips notify SDEE
no ip bootp server
ip name-server 205.160.192.2
ip name-server 192.168.2.5
!
!
!
crypto pki trustpoint TP-self-signed-1438219780
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1438219780
revocation-check none
rsakeypair TP-self-signed-1438219780
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
crypto pki certificate chain TP-self-signed-1438219780
certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 
crypto pki certificate chain tti

!
!
class-map match-all webqos
match access-group 110
class-map match-any voice-signaling
match ip dscp cs3
match ip dscp af31
match ip dscp af41
class-map match-all tcp_traffic
match access-group 110
class-map match-any voice
match ip dscp ef
match ip precedence 5
!
!
policy-map WebQOS
class tcp_traffic
   police 150000 280000
policy-map voice-qos
class voice
  priority percent 20
class voice-signaling
  bandwidth percent 5
class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp key XXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set NRM esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile nrm
set transform-set ESP-3DES-SHA6 ESP-3DES-SHA5 ESP-3DES-SHA
!
!
crypto dynamic-map SDM_DYNMAP_1 10
set transform-set ESP-3DES-SHA1
match address 112
reverse-route
crypto dynamic-map SDM_DYNMAP_1 11
set transform-set ESP-3DES-SHA
match address 114
reverse-route
crypto dynamic-map SDM_DYNMAP_1 12
set transform-set ESP-3DES-SHA1
match address 116
reverse-route
crypto dynamic-map SDM_DYNMAP_1 13
set transform-set ESP-3DES-SHA6
match address lancaster
reverse-route
crypto dynamic-map SDM_DYNMAP_1 14
set transform-set ESP-3DES-SHA7
match address 118
reverse-route
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description "Data Subnet"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0.1
description $FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.2.200 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/0.2
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.4.1 255.255.255.0
ip access-group 105 in
ip helper-address 192.168.2.2
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
shutdown
no snmp trap link-status
!
interface FastEthernet0/1
description Internet$FW_OUTSIDE$$ETH-LAN$
ip address 10.1.10.185 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW in
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
interface Serial0/0/0
description "$
ip address XXX 255.255.255.252
ip access-group 102 in
ip helper-address 192.168.2.2
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
service-policy output voice-qos
!
router eigrp 90
network 192.168.2.0
network 192.168.4.0
no auto-summary
!
router rip
version 2
network 192.168.2.0
network 192.168.4.0
network 192.168.101.0
network 192.168.102.0
network 192.168.103.0
network 192.168.104.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.10.1
ip route 24.115.82.0 255.255.255.255 10.1.10.1
ip route 63.156.56.48 255.255.255.252 192.168.2.199
ip route 63.156.56.52 255.255.255.252 192.168.2.199
ip route 63.156.56.56 255.255.255.252 192.168.2.199
ip route 63.156.56.60 255.255.255.252 192.168.2.199
ip route 64.73.117.34 255.255.255.255 1.1.1.1
ip route 172.20.94.212 255.255.255.252 172.20.94.29
ip route 192.168.1.0 255.255.255.0 192.168.2.199
ip route 192.168.3.0 255.255.255.0 192.168.2.199
ip route 192.168.4.0 255.255.255.0 192.168.2.199
ip route 192.168.5.0 255.255.255.0 192.168.2.7
ip route 192.168.6.0 255.255.255.0 192.168.2.199
ip route 192.168.7.0 255.255.255.0 192.168.2.199
ip route 192.168.8.0 255.255.255.0 192.168.2.199
ip route 192.168.9.0 255.255.255.0 192.168.2.199
ip route 192.168.10.0 255.255.255.0 192.168.2.199
ip route 192.168.11.0 255.255.255.0 192.168.2.199
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/1 overload
!
ip access-list extended XXX
remark dot1to4
remark CCP_ACL Category=4
permit ip 192.168.2.0 0.0.0.255 192.168.230.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
!
no logging trap
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.200.0 0.0.0.3
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.3
access-list 2 remark XX
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.200.0 0.0.0.3 any
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 deny   ip XX 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 192.168.4.0 0.0.0.255 any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 any
access-list 102 deny   ip XX 0.0.0.7 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1

access-list 103 deny   ip 192.168.200.0 0.0.0.3 any
access-list 103 deny   ip 192.168.4.0 0.0.0.255 any
access-list 103 deny   ip 192.168.2.0 0.0.0.255 any
access-list 103 permit udp any eq bootps any eq bootps

access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 192.168.2.200 eq non500-isakmp
access-list 104 permit udp any host 192.168.2.200 eq isakmp
access-list 104 permit esp any host 192.168.2.200
access-list 104 permit ahp any host 192.168.2.200
access-list 104 permit gre any host 192.168.2.200
access-list 104 deny   ip 192.168.200.0 0.0.0.3 any
access-list 104 deny   ip 192.168.4.0 0.0.0.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit gre any host 192.168.2.200
access-list 105 permit ahp any host 192.168.2.200
access-list 105 permit esp any host 192.168.2.200
access-list 105 permit udp any host 192.168.2.200 eq isakmp
access-list 105 permit udp any host 192.168.2.200 eq non500-isakmp
access-list 105 deny   ip 192.168.200.0 0.0.0.3 any
access-list 105 deny   ip 192.168.2.0 0.0.0.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any

access-list 106 remark search appliance
access-list 106 permit tcp any host XXX eq www
access-list 106 remark AS400 FTP
access-list 106 permit tcp any host XXX eq ftp
access-list 106 permit tcp any host XXX74 eq 1723
access-list 106 remark VPN Port
access-list 106 permit gre any host XXX74 log
access-list 106 permit udp any host XXX74 eq isakmp
access-list 106 permit tcp any host XXX74 eq 50
access-list 106 permit udp any host XXX74 eq non500-isakmp
access-list 106 permit tcp any host XXX74 eq 443
access-list 106 permit tcp any host XXX74 eq www
access-list 106 permit tcp any host XXX73 eq 443
access-list 106 permit tcp any host XXX73 eq www
access-list 106 permit tcp any host XXX73 eq smtp
access-list 106 permit udp host 205.160.192.2 eq domain host XXX74
access-list 106 deny   ip 192.168.200.0 0.0.0.3 any
access-list 106 deny   ip 192.168.4.0 0.0.0.255 any
access-list 106 deny   ip 192.168.2.0 0.0.0.255 any
access-list 106 permit udp any eq bootps any eq bootps
access-list 106 permit icmp any host XXX74 echo-reply
access-list 106 permit icmp any host XXX74 time-exceeded
access-list 106 permit icmp any host XXX74 unreachable
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 remark Keivn Warrenty
access-list 106 remark search appliance
access-list 106 remark AS400 FTP
access-list 106 remark VPN Port
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 remark Keivn Warrenty
access-list 106 remark search appliance
access-list 106 remark AS400 FTP
access-list 106 remark VPN Port
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 remark Keivn Warrenty
access-list 106 remark search appliance
access-list 106 remark AS400 FTP
access-list 106 remark VPN Port
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 deny   ip 192.168.200.0 0.0.0.3 any
access-list 107 deny   ip 192.168.4.0 0.0.0.255 any
access-list 107 deny   ip XXX72 0.0.0.7 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 109 remark SDM_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 deny   ip 10.1.10.0 0.0.0.255 host 174.59.111.20
access-list 109 remark IPSec Rule
access-list 109 deny   ip any any
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.2.0 0.0.0.255 host 192.168.2.120
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.10.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 109 permit ip 192.168.3.0 0.0.0.255 any

access-list 109 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 permit ip 192.168.200.0 0.0.0.3 any
access-list 109 permit ip 192.168.4.0 0.0.0.255 any
access-list 109 permit ip 192.168.2.0 0.0.0.255 any
access-list 109 remark SDM_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule
access-list 109 remark IPSec Rule

access-list 110 remark WebQOSacl
access-list 110 remark SDM_ACL Category=1
access-list 110 permit icmp any any
access-list 110 permit udp any any
access-list 110 permit tcp any any
access-list 110 permit ip any any
access-list 110 remark WebQOSacl
access-list 110 remark SDM_ACL Category=1
access-list 110 remark WebQOSacl
access-list 110 remark SDM_ACL Category=1
access-list 110 remark WebQOSacl
access-list 110 remark SDM_ACL Category=1
access-list 111 remark CCP_ACL Category=2
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 111 remark voice
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 deny   ip 10.1.10.0 0.0.0.255 host 174.59.111.20
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.3.0 0.0.0.255 any

access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.4.0 0.0.0.255 any
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.4.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 114 remark CCP_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.2.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 116 remark NRM 101
access-list 116 remark CCP_ACL Category=4
access-list 116 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 116 permit ip 192.168.4.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 118 remark 192.168.104.0
access-list 118 remark SDM_ACL Category=4
access-list 118 permit ip 192.168.2.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 118 permit ip 192.168.4.0 0.0.0.255 192.168.104.0 0.0.0.255

no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 109
!
route-map SDM_RMAP_2 permit 1
match ip address 111
!

!

ASA not passing inside traffic though vpn.. can you spot the pro

Hi Neil,

Here is the problem on your ACL "111" those highlighted lines must come before your permit entries.

So, please rearrange them and try.

access-list 111 permit ip 192.168.3.0 0.0.0.255 any

access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.4.0 0.0.0.255 any
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.104.0 0.0.0.255

Please update me.

thanks

Rizwan Rafeek.

ASA not passing inside traffic though vpn.. can you spot the pro

Please rate, helpful post.

thanks

1166
Views
10
Helpful
7
Replies
CreatePlease login to create content