ASA-5505: VPN packets not forwarding to second outside interface

jimbobmcgee
jimbobmcgee used Ask the Experts™
on
I have an ASA-5505 which I recently factory reset.  I intend to use it as my office's internet-facing firewall and VPN device, as part of a shift to a new ISP.  I am trying to do two non-standard (i.e. things I am not used to doing) things with the new device, that I understand should be possible:

1

I want to use a third Vlan (DMZ interface) to connect to the old ISP (not for failover), so I can run the existing VPNs and transition them to the new interface, over time.

2

I want to hairpin/NAT the old, non-RFC1918 LAN range on the inside interface (192.14.14.0/24) to a new subnet (172.16.0.0/24), so I can finally be rid of the non-standard IP range, but allow me to migrate client settings that I may have missed during the transition periodAt the moment, I can only use the packet-trace CLI command to test the various rules, before I can move into physical testing.

Access to external addresses appears to flow correctly, as does the hairpinning, but the packet-trace shows a drop for the traffic that matches the VPN range.

Redacted config, version info and packet trace results are attached.  The questions are:

1

Can anyone see why the VPN traffic is shown as dropped in the packet-trace from 172.16.1.100 to 192.15.15.20 -- is it just because the VPN tunnel is not up/is reaching "VPN" in the packet-trace as close as I can get until it is physically cabled?

2

Once the tunnel is working, Is it possible to allow end-users in the 192.15.15.0/24 range to talk to 192.14.14.0/24 and be translated to 172.16.0.0/24, as per the hairpinning (I have tried a static (inside,outside_old)... rule but the packet-trace shows it as dropped -- I assume packet-trace cannot emulate traffic from the VPN)?Thanks in advance...

J.
ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2) 
Device Manager Version 6.2(5)53

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 24 mins 53 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00 
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001e.7aac.3ca3, irq 11
 1: Ext: Ethernet0/0         : address is 001e.7aac.3c9b, irq 255
 2: Ext: Ethernet0/1         : address is 001e.7aac.3c9c, irq 255
 3: Ext: Ethernet0/2         : address is 001e.7aac.3c9d, irq 255
 4: Ext: Ethernet0/3         : address is 001e.7aac.3c9e, irq 255
 5: Ext: Ethernet0/4         : address is 001e.7aac.3c9f, irq 255
 6: Ext: Ethernet0/5         : address is 001e.7aac.3ca0, irq 255
 7: Ext: Ethernet0/6         : address is 001e.7aac.3ca1, irq 255
 8: Ext: Ethernet0/7         : address is 001e.7aac.3ca2, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8         
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited 
Failover                       : Disabled
VPN-DES                        : Enabled   
VPN-3DES-AES                   : Enabled   
SSL VPN Peers                  : 2         
Total VPN Peers                : 10        
Dual ISPs                      : Disabled  
VLAN Trunk Ports               : 0         
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2         
Total UC Proxy Sessions        : 2         
Botnet Traffic Filter          : Disabled  

This platform has a Base license.

Serial Number: JMX1151Z0M2
Running Activation Key: 0xcb3a555b 0x00a9f0ce 0xfc53cd14 0xa52820cc 0x492b92b3 
Configuration register is 0x1
Configuration last modified by enable_15 at 18:49:48.849 UTC Tue Jul 6 2010


ciscoasa(config)# sh run

: Saved
:
ASA Version 8.2(2) 
!
terminal width 120
hostname ciscoasa
enable password T6L9kwXy8yD66Ci8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.0.10 255.255.252.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 213.x.x.8 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan2
 nameif outside_old             
 security-level 0
 ip address 62.x.x.159 255.255.255.128 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 description RESERVED
 shutdown
!
interface Ethernet0/3
 description RESERVED
 shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6     
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list N0_INSIDE remark Entries in this list will be exempt from NAT
access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0 
access-list AG_OUTSIDE_IN remark Traffic allowed into the outside interface
access-list AG_OUTSIDE_IN extended permit icmp any any 
access-list AG_INSIDE_IN remark Traffic allowed into the inside interface
access-list AG_INSIDE_IN extended permit tcp any host 192.14.14.20 eq smtp 
access-list AG_INSIDE_IN extended permit tcp any host 80.x.x.52 eq smtp 
access-list AG_INSIDE_IN extended deny tcp any any eq smtp 
access-list AG_INSIDE_IN extended permit ip any any 
access-list AG_OUTOLD_IN remark Traffic allowed into the outside_old interface
access-list AG_OUTOLD_IN extended permit icmp any any 
access-list VPN_GATESHEAD remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0 
pager lines 22
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outside_old 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 10 interface
global (outside_old) 10 interface
nat (inside) 0 access-list N0_INSIDE
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 
static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 
access-group AG_INSIDE_IN in interface inside
access-group AG_OUTSIDE_IN in interface outside
access-group AG_OUTOLD_IN in interface outside_old
route outside 0.0.0.0 0.0.0.0 213.x.x.1 1
route outside_old 192.15.15.0 255.255.255.0 62.x.x.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CM_OUTOLD 10 match address VPN_GATESHEAD
crypto map CM_OUTOLD 10 set pfs 
crypto map CM_OUTOLD 10 set peer 82.x.x.219 
crypto map CM_OUTOLD 10 set transform-set ESP-AES256-MD5
crypto map CM_OUTOLD 10 set security-association lifetime seconds 3600
crypto map CM_OUTOLD interface outside_old
crypto isakmp identity address 
crypto isakmp enable outside_old
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 28800
crypto isakmp ipsec-over-tcp port 10000 
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 2
tunnel-group 82.163.120.219 type ipsec-l2l
tunnel-group 82.163.120.219 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cf43aed8a7a87ca9205c2faffb0567c1
: end


ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det

Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81ee740, priority=12, domain=permit, deny=false
	hits=5, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
	hits=49, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (213.48.16.8 [Interface PAT])
    translate_hits = 2, untranslate_hits = 0
Additional Information:
Dynamic translate 172.16.1.100/43563 to 213.48.16.8/61556 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xd81ebb58, priority=1, domain=nat, deny=false
	hits=2, user_data=0xd81eba98, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
    translate_hits = 3, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81eb6a8, priority=1, domain=host, deny=false
	hits=33, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd8186830, priority=0, domain=inspect-ip-options, deny=true
	hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 20, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow



ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det

Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 
  match ip inside 172.16.0.0 255.255.255.0 inside any
    static translation to 192.14.14.0
    translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 192.14.14.0/0 to 172.16.0.0/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81ee740, priority=12, domain=permit, deny=false
	hits=6, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
	hits=50, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
    translate_hits = 4, untranslate_hits = 0
Additional Information:
Dynamic translate 172.16.1.100/43563 to 172.16.0.10/25517 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xd81eb350, priority=1, domain=nat, deny=false
	hits=4, user_data=0xd81eb290, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
    translate_hits = 4, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81eb6a8, priority=1, domain=host, deny=false
	hits=34, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 
  match ip inside 172.16.0.0 255.255.255.0 inside any
    static translation to 192.14.14.0
    translate_hits = 0, untranslate_hits = 7
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd81efdb8, priority=5, domain=nat-reverse, deny=false
	hits=4, user_data=0xd81efb68, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=172.16.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0 
  match ip inside 172.16.0.0 255.255.255.0 inside any
    static translation to 192.14.14.0
    translate_hits = 0, untranslate_hits = 7
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd81efe50, priority=5, domain=host, deny=false
	hits=7, user_data=0xd81efb68, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=172.16.0.0, mask=255.255.255.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
	hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 21, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow


ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 192.15.15.20 www det

Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.15.15.0     255.255.255.0   outside_old

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81ee740, priority=12, domain=permit, deny=false
	hits=7, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
	hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside 172.16.0.0 255.255.252.0 outside_old 192.15.15.0 255.255.255.0
    NAT exempt
    translate_hits = 3, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81ea858, priority=6, domain=nat-exempt, deny=false
	hits=3, user_data=0xd81ea798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip=172.16.0.0, mask=255.255.252.0, port=0
	dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside_old any
    dynamic translation to pool 10 (62.253.200.159 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81ec360, priority=1, domain=nat, deny=false
	hits=3, user_data=0xd81ec2a0, cs_id=0x0, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
    translate_hits = 4, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd81eb6a8, priority=1, domain=host, deny=false
	hits=35, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip=0.0.0.0, mask=0.0.0.0, port=0
	dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd820c318, priority=70, domain=encrypt, deny=false
	hits=3, user_data=0x0, cs_id=0xd820be50, reverse, flags=0x0, protocol=0
	src ip=172.16.0.0, mask=255.255.252.0, port=0
	dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside_old
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


ciscoasa(config)# sh xlate
2 in use, 4 most used
Global 192.14.14.0 Local 172.16.0.0
Global 192.14.14.0 Local 172.16.0.0

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Couple of things to start with:
 >nat (inside) 0 access-list N0_INSIDE
Should not be "0" because you are conditionally natting, not bypassing nat.
And because the subnet masks do not match you cannot do static network nat.

I would try something like this instead:

access-list N0_INSIDE2 extended permit ip 192.14.14.0 255.255.250.0 192.15.15.0 255.255.255.0
no nat (inside) 0 access-list N0_INSIDE
static (inside,outside_old) 172.16.0.0 172.16.0.0 netmask 255.255.252.0 access-list NO_INSIDE
static (inside,outside_old) 172.16.0.0 192.14.14.0 netmask 255.255.255.0 access-list NO_INSIDE2

Now either way, all traffic going from either 192.14.14 or 172.16.0 is going to be natted to 172.16.0.0 and match the vpn acl.

I must say that I've never seen hairpinning used for this purpose, but if it works, I'll sure keep it in mind.
You are correct that the packet trace tool can only do so much if the vpn is not actually "UP". It has to fail if the tunnel is not actually established.

Author

Commented:
lrmoore; thanks for your suggestions.  There should be a system to place bets on who will bite on a question -- I'd make a fortune!! ;-)

>> You are correct that the packet trace tool can only do so much if the vpn is not actually "UP".
I had hoped this was the case -- I was pulling my hair out trying to find a 'configured rule' that caused the acl-drop.  Is it fair to assume that, given that the packet-trace reached the VPN phase, that "normal" VPN logic is going to take over once the physical network is in place?

>> And because the subnet masks do not match you cannot do static network nat
You are right that the subnets do not match; I am moving from a /24 to a /22 mask.  During the transition, I am intending to match 192.14.14.xxx to 172.16.0.xxx, however, so I think it should be possible to static NAT just this subset, shouldn't it?

>> static (inside,outside_old) 172.16.0.0 172.16.0.0 netmask 255.255.252.0 access-list NO_INSIDE
>> static (inside,outside_old) 172.16.0.0 192.14.14.0 netmask 255.255.255.0 access-list NO_INSIDE2

I'm not seeing a variant of static that accepts an access-list parameter.  Is this a recent thing?  I am running v8.2(2), which I understand is the latest version that is supported on my ASA5505, given its 256MB memory.

As such, might the following work?

    access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.255.0 192.15.15.0 255.255.255.0
    access-list N0_INSIDE extended permit ip 192.14.14.0 255.255.255.0 192.15.15.0 255.255.255.0
 
    access-list VPN_GATESHEAD1 remark VPN traffic to/from Gateshead office
    access-list VPN_GATESHEAD1 extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
    access-list VPN_GATESHEAD2 remark VPN traffic to/from Gateshead office
    access-list VPN_GATESHEAD2 extended permit ip 192.14.14.0 255.255.255.0 192.15.15.0 255.255.255.0

    nat (inside) 0 access-list N0_INSIDE

    static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
    static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0

    crypto map CM_OUTOLD 10 match address VPN_GATESHEAD1
    crypto map CM_OUTOLD 10 set peer 82.x.x.219
    !...
    crypto map CM_OUTOLD 20 match address VPN_GATESHEAD2
    crypto map CM_OUTOLD 20 set peer 82.x.x.219
    !...

I guess my question is as much to do with the order in which statements are processed than anything else:  Does a static translation apply to inbound traffic from the VPN on outside_old, or does it only apply to plain (non-crypto) traffic?  

I expect it would make more sense for the device at the other office to do the translation from 192.14.14.0/24 to 172.16.0.0/24 before coming down the VPN, but it is just a SOHO device and has no support for one-to-one NAT (and no support for NAT-then-VPN, only NAT-or-VPN).
Given that I appear to have scared you off and that I ran out of time I decided to drop the hairpinning until both sites are running an ASA.  That way I have more of a fighting chance with the routing than I would with the current remote SOHO device.

To answer my own question, regarding the second interface, I needed to add routes for both the remote LAN (which I had) and the remote peer (which I was missing), forcing both to the outside_old interface.

    route outside_old 192.15.15.0 255.255.255.0 62.x.x.254
    route outside_old 82.x.x.219 255.255.255.255 62.x.x.254

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial