Solved: Re: Unable to Ping Hosts Through IPSec Tunnel - Page 2

cfinotti22 · ‎07-26-2010

I have a home lab setup with a PIX 515 running 8.03 code. I have made several changes over the past week and now when I terminate a VPN connection to the outside interface I am unable to hit any internal resources. My VPN connection is coming from a 10.22.254.0/24 trying to hit internal nodes at 10.22.1.0/24, see below. When I terminate a VPN connection against the inside interface it works, so I take it I'm dealing with a NAT issue? I don't have a clue why Phase 9 is failing:-\ Any help would be great!

-------

access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

-------

global (outside) 1 interface

-------

access-list split extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

-------

packet-tracer input inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2bb3450, priority=0, domain=permit-ip-option, deny=true

hits=17005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x304ae48, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=17005, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

nat-control

match ip inside 10.22.1.0 255.255.255.0 outside 10.22.254.0 255.255.255.0

NAT exempt

translate_hits = 6, untranslate_hits = 5

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2be2a00, priority=6, domain=nat-exempt, deny=false

hits=5, user_data=0x2be2960, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.22.1.0, mask=255.255.255.0, port=0

dst ip=10.22.254.0, mask=255.255.255.0, port=0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

nat-control

match ip inside 10.22.1.0 255.255.255.0 DMZ any

static translation to 10.22.1.0

translate_hits = 10, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2d52800, priority=5, domain=host, deny=false

hits=21654, user_data=0x2d51dc8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.22.1.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (192.168.20.20 [Interface PAT])

translate_hits = 2909, untranslate_hits = 9

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2d4a7d0, priority=1, domain=nat, deny=false

hits=16973, user_data=0x2d4a730, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3328000, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x1efa0cc, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.22.1.0, mask=255.255.255.0, port=0

dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3329a48, priority=69, domain=ipsec-user, deny=true

hits=37, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.0.0.0, mask=255.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

cfinotti22 · ‎07-27-2010

What other troubleshooting steps can I perform? What should I rule out? I'm leaning towards a NAT issue. I did some testing on the inside interface of my PIX, when I removed the Exempt NAT policy on the interface with traffic sourcing from 10.22.254.0/24 I received the same deny message below that I was receiving on the outside interface. This data leads me to believe this is a NAT issue, thoughts? How do you truly troubleshoot a NAT issue?

Jul 27 2010 18:58:07 106014 Deny inbound icmp src inside:10.22.254.50 dst outside:10.22.1.15 (type 8, code 0)

rahgovin · ‎07-28-2010

I am still kinda leaning towards the vpn filter coz i have seen the phase 9 drop for vpn filters before. Can you post the out put of show run all group-policy ? that will have all the settings in the default and other group policies which i would like to see. It is not present in the show run commnd which u had posted.

Antonio Knox · ‎07-28-2010

I agree that this is probably a filter isssue. if you have 'sysopt connection permit-vpn' configured, then your IPSec traffic is ignored by interface ACLs. That leaves the VPN filter ACL as the only ACL in place that can see and drop your traffic. I would look there next as well. Please post the 'sh run all group-policy' as requested by rahgovin.rahgovin

cfinotti22 · ‎07-28-2010

I have tried lo-vpn and DfltGrpPolicy with no luck.

# sh run all group-policy
group-policy test-vpn internal
group-policy test-vpn attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test-vpn_splitTunnelAcl
group-policy ASA5505-S2S internal
group-policy ASA5505-S2S attributes
vpn-filter value ASA5505-VPN-Filter
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ASA5505-S2S
nem enable
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
group-policy lo-vpn internal
group-policy lo-vpn attributes
dns-server value 4.2.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
group-policy group-policy-default internal
group-policy group-policy-default attributes
banner value Welcome to test.com
dns-server value 4.2.2.2
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
re-xauth disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value internal.test.com

cfinotti22 · ‎07-28-2010

What else can I do?

rahgovin · ‎07-29-2010

Can you post the output for the sh vpn-sessiondb remote (just the one having your user entry) when you are connected through the vpn client?

rahgovin · ‎07-29-2010

Also a show asp table classify domain ipsec-user output if possible

cfinotti22 · ‎07-29-2010

Username        : test                 Index        : 1794
Assigned IP     : 10.22.254.51           Public IP    : 66.*.*.*
Protocol           : IKE IPsecOverNatT
License           : IPsec
Encryption       : 3DES                   Hashing      : MD5 SHA1
Bytes Tx          : 0                      Bytes Rx     : 0
Group Policy    : group-policy-default   Tunnel Group : vpnclient
Login Time       : 06:12:51 UTC Thu Jul 29 2010
Duration           : 0h:00m:45s
NAC Result      : Unknown
VLAN Mapping : N/A                    VLAN         : none

# show asp table classify domain ipsec-user

Interface DMZ:

Interface inside:

Interface outside:
in id=0x3402bf8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in id=0x2d47fb8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in id=0x33c7700, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in id=0x3354cc8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in id=0x2d40888, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in id=0x343d1e0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in id=0x32cd460, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in id=0x34a45b0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in id=0x3425928, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in id=0x33b24c0, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in id=0x33749e8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in id=0x3339ab0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in id=0x332ebc0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in id=0x2fc1630, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in id=0x3374be0, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in id=0x344e5f8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in id=0x33df148, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in id=0x33715a8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in id=0x2bdc9a8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in id=0x333a918, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in id=0x3317380, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x34ad298, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x33dee80, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x332e7c8, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x2faf340, priority=69, domain=ipsec-user, deny=true
        hits=6, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x33c2d90, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x3370b48, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in id=0x3336678, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0x2fab9f0, priority=70, domain=ipsec-user, deny=false
        hits=187, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x333e698, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x34251a8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3410bd8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2fc33a8, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3440528, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3444690, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3347730, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x331abd8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x333a270, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x304f948, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x331ec18, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2f92f40, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x331d740, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2fcc340, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x34ad318, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x334f8a0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x332f200, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3391be8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x33670e8, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2fd1590, priority=69, domain=ipsec-user, deny=true
        hits=10, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3404530, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2bd17e8, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x330aed8, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3228e48, priority=69, domain=ipsec-user, deny=true
        hits=33, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0
out id=0x2f84160, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0
out id=0x33c9658, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0
out id=0x344db30, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0

cfinotti22 · ‎07-29-2010

I'm transmitting packets TX but the return packets RX never make it back, see attached screen shot of the client.

rahgovin · ‎07-29-2010

hey just to confirm...ur inside network is 10.22.1/24 and pool is 10.22.254/24

from what i see in the nonat access-list

access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

please change the access-list to access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0 and test.

also after the changes are you getting the same packet tracer output?

cfinotti22 · ‎07-29-2010

I have traffic natted in both directions?

# nat (inside) 0 access-list nonat

nat (inside) 0 access-list nonat

#sh access-list nonat | i 10.22.254
access-list nonat line 2 extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

Antonio Knox · ‎07-29-2010

No, the nonat ACL only requires defining traffic from the internal network to the

VPN pool. You should remove the other entries.

Remove:

access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

cfinotti22 · ‎07-31-2010

The following ACL has to be applied when terminating a VPN connection on the inside interface, because the traffic is traversing the inside interface. Does this make sense?
access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

The following ACL fixed my issue but I had to completely remove all nonat's and start from scratch to see what the issue was.
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

In short, removing all nonat's and then adding them back one back gave me the ability to find out what the exact issue was. The post above did fix my issue!! Thanks everyone!

# sh run | i nonat
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.5.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.5.0 255.255.255.0 10.22.254.0 255.255.255.0

nat (inside) 0 access-list nonat
nat (DMZ) 0 access-list nonat-dmz

rahgovin · ‎07-31-2010

Oh great :-) it was the nat exemption after all....

cfinotti22 · ‎08-02-2010

Yes, it was a NAT exempt policy issue. I went through and removed all of the NAT entries bound to the inside interface and recreated them one-by-one, which allowed me to narrow down the issue. Thanks for all of your help!!