Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

client do not hit crypto ACL

i want to configure site to site vpn

i had defined nat-t acl and crypto acl at ASA1 like this:

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list cry_acl extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list cry_acl extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

when i test the vpn connectivity, i find 10.10.10.0/24 can ping 192.168.1.0/24,but 10.10.10.0/24 cannot ping 172.16.1.0/24.

i use "show access-list cry_acl" it display

{

access-list cry_acl line 1 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=8) 0xa00e960c

access-list cry_acl line 2 extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0 (hitcnt=0) 0xf0bdc906

}

i use " tracert 172.16.1.1" at pc:10.10.10.2,it pass through to asa.

the asa version:7.2

why???

the top:

192.168.1.0/24 and 172.16.1.0/24 ---asa----wan--F5--asa---10.10.10.0/24

6 REPLIES
Super Bronze

client do not hit crypto ACL

Hi,

Try the "packet-tracer" command on the CLI and copy that output here

The command format is the following

packet-tracer input >

So use the inside port on the ASA as the input interface and try for example some tcp connection with the above command. The output should tells us something alteast.

packet-tracer command should be available in software 7.2

- Jouni

New Member

client do not hit crypto ACL

# packet-tracer input inside icmp 10.10.10.100 0 0 192.168.1.110 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x443ad38, priority=0, domain=permit-ip-option, deny=true

        hits=25604, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x4408e90, priority=70, domain=inspect-icmp, deny=false

        hits=77, user_data=0x4408960, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x443cc38, priority=66, domain=inspect-icmp-error, deny=false

        hits=85, user_data=0x443cb68, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

  match ip inside 10.10.10.0 255.255.255.0 outside 192.168.1.0 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x44ab350, priority=6, domain=nat-exempt, deny=false

        hits=0, user_data=0x44859a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=10.10.10.0, mask=255.255.255.0, port=0

        dst ip=192.168.1.0, mask=255.255.255.0, port=0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 access-list nat

  match ip inside 10.10.10.0 255.255.255.0 outside 10.59.0.0 255.255.255.0

    dynamic translation to pool 1 (10.59.12.1 - 10.59.12.253)

    translate_hits = 384, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x44bcf88, priority=2, domain=host, deny=false

        hits=8135, user_data=0x44be758, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.10.10.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x41ba0d0, priority=70, domain=encrypt, deny=false

        hits=0, user_data=0x0, cs_id=0x4ae01c0, reverse, flags=0x0, protocol=0

        src ip=10.10.10.0, mask=255.255.255.0, port=0

        dst ip=192.168.1.0, mask=255.255.255.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

New Member

client do not hit crypto ACL

Can you share the configuration?

Ahmad

New Member

client do not hit crypto ACL

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.20.1.1 255.255.255.0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 172.19.1.2 255.255.255.0

!

!

ftp mode passive

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list cry_acl extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list cry_acl extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nat extended permit ip 10.16.120.0 255.255.248.0 10.57.0.0 255.255.248.0

access-list nat extended permit ip 10.16.120.0 255.255.248.0 10.11.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging buffered errors

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo inside

icmp permit any echo-reply inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.59.12.1-10.59.12.253

global (outside) 1 10.59.12.254

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

static (inside,outside) 10.59.12.1 10.16.120.36 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 172.20.1.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 13 match address cry_acl

crypto map outside_map 13 set peer 212.x.16.7x

crypto map outside_map 13 set transform-set myset

crypto map outside_map 13 set security-association lifetime seconds 28800

crypto map outside_map 13 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 212.x.16.7x type ipsec-l2l

tunnel-group 212.x.16.7x ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

Cryptochecksum:c9b2feb1a2c1a6f189b8b02b0bb485b3

: end

New Member

client do not hit crypto ACL

Hello Yuliang,

The configuration looks fine, please double check the other peer's configuration, if have the correct [nonat + Crypto ACL for

172.16.1.0], then please reset the Crypto by doing the following:

no crypto map outside_map interface outside

crypto map outside_map interface outside

Please let me know how things go, if you can, also please share the other peers configuration.

Ahmad

Bronze

client do not hit crypto ACL

I would suggest enablng the following debug:

debug crypto isakmp 254

then running the same packet-tracer command and posting the debugs here

605
Views
5
Helpful
6
Replies
CreatePlease login to create content