ASA-5505: VPN packets not forwarding to second outside interface
I have an ASA-5505 which I recently factory reset. I intend to use it as my office's internet-facing firewall and VPN device, as part of a shift to a new ISP. I am trying to do two non-standard (i.e. things I am not used to doing) things with the new device, that I understand should be possible:
Access to external addresses appears to flow correctly, as does the hairpinning, but the packet-trace shows a drop for the traffic that matches the VPN range.
Redacted config, version info and packet trace results are attached. The questions are:
J.
1
I want to use a third Vlan (DMZ interface) to connect to the old ISP (not for failover), so I can run the existing VPNs and transition them to the new interface, over time.2
I want to hairpin/NAT the old, non-RFC1918 LAN range on the inside interface (192.14.14.0/24) to a new subnet (172.16.0.0/24), so I can finally be rid of the non-standard IP range, but allow me to migrate client settings that I may have missed during the transition periodAt the moment, I can only use the packet-trace CLI command to test the various rules, before I can move into physical testing.Access to external addresses appears to flow correctly, as does the hairpinning, but the packet-trace shows a drop for the traffic that matches the VPN range.
Redacted config, version info and packet trace results are attached. The questions are:
1
Can anyone see why the VPN traffic is shown as dropped in the packet-trace from 172.16.1.100 to 192.15.15.20 -- is it just because the VPN tunnel is not up/is reaching "VPN" in the packet-trace as close as I can get until it is physically cabled?2
Once the tunnel is working, Is it possible to allow end-users in the 192.15.15.0/24 range to talk to 192.14.14.0/24 and be translated to 172.16.0.0/24, as per the hairpinning (I have tried a static (inside,outside_old)... rule but the packet-trace shows it as dropped -- I assume packet-trace cannot emulate traffic from the VPN)?Thanks in advance...J.
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 24 mins 53 secs
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.7aac.3ca3, irq 11
1: Ext: Ethernet0/0 : address is 001e.7aac.3c9b, irq 255
2: Ext: Ethernet0/1 : address is 001e.7aac.3c9c, irq 255
3: Ext: Ethernet0/2 : address is 001e.7aac.3c9d, irq 255
4: Ext: Ethernet0/3 : address is 001e.7aac.3c9e, irq 255
5: Ext: Ethernet0/4 : address is 001e.7aac.3c9f, irq 255
6: Ext: Ethernet0/5 : address is 001e.7aac.3ca0, irq 255
7: Ext: Ethernet0/6 : address is 001e.7aac.3ca1, irq 255
8: Ext: Ethernet0/7 : address is 001e.7aac.3ca2, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1151Z0M2
Running Activation Key: 0xcb3a555b 0x00a9f0ce 0xfc53cd14 0xa52820cc 0x492b92b3
Configuration register is 0x1
Configuration last modified by enable_15 at 18:49:48.849 UTC Tue Jul 6 2010
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(2)
!
terminal width 120
hostname ciscoasa
enable password T6L9kwXy8yD66Ci8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.10 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address 213.x.x.8 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif outside_old
security-level 0
ip address 62.x.x.159 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
description RESERVED
shutdown
!
interface Ethernet0/3
description RESERVED
shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list N0_INSIDE remark Entries in this list will be exempt from NAT
access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
access-list AG_OUTSIDE_IN remark Traffic allowed into the outside interface
access-list AG_OUTSIDE_IN extended permit icmp any any
access-list AG_INSIDE_IN remark Traffic allowed into the inside interface
access-list AG_INSIDE_IN extended permit tcp any host 192.14.14.20 eq smtp
access-list AG_INSIDE_IN extended permit tcp any host 80.x.x.52 eq smtp
access-list AG_INSIDE_IN extended deny tcp any any eq smtp
access-list AG_INSIDE_IN extended permit ip any any
access-list AG_OUTOLD_IN remark Traffic allowed into the outside_old interface
access-list AG_OUTOLD_IN extended permit icmp any any
access-list VPN_GATESHEAD remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
pager lines 22
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outside_old 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 10 interface
global (outside_old) 10 interface
nat (inside) 0 access-list N0_INSIDE
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
access-group AG_INSIDE_IN in interface inside
access-group AG_OUTSIDE_IN in interface outside
access-group AG_OUTOLD_IN in interface outside_old
route outside 0.0.0.0 0.0.0.0 213.x.x.1 1
route outside_old 192.15.15.0 255.255.255.0 62.x.x.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CM_OUTOLD 10 match address VPN_GATESHEAD
crypto map CM_OUTOLD 10 set pfs
crypto map CM_OUTOLD 10 set peer 82.x.x.219
crypto map CM_OUTOLD 10 set transform-set ESP-AES256-MD5
crypto map CM_OUTOLD 10 set security-association lifetime seconds 3600
crypto map CM_OUTOLD interface outside_old
crypto isakmp identity address
crypto isakmp enable outside_old
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group 82.163.120.219 type ipsec-l2l
tunnel-group 82.163.120.219 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cf43aed8a7a87ca9205c2faffb0567c1
: end
ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ee740, priority=12, domain=permit, deny=false
hits=5, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=49, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 10 (213.48.16.8 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
Additional Information:
Dynamic translate 172.16.1.100/43563 to 213.48.16.8/61556 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd81ebb58, priority=1, domain=nat, deny=false
hits=2, user_data=0xd81eba98, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 3, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81eb6a8, priority=1, domain=host, deny=false
hits=33, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8186830, priority=0, domain=inspect-ip-options, deny=true
hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
match ip inside 172.16.0.0 255.255.255.0 inside any
static translation to 192.14.14.0
translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 192.14.14.0/0 to 172.16.0.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ee740, priority=12, domain=permit, deny=false
hits=6, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=50, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Dynamic translate 172.16.1.100/43563 to 172.16.0.10/25517 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd81eb350, priority=1, domain=nat, deny=false
hits=4, user_data=0xd81eb290, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81eb6a8, priority=1, domain=host, deny=false
hits=34, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
match ip inside 172.16.0.0 255.255.255.0 inside any
static translation to 192.14.14.0
translate_hits = 0, untranslate_hits = 7
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd81efdb8, priority=5, domain=nat-reverse, deny=false
hits=4, user_data=0xd81efb68, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=172.16.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
match ip inside 172.16.0.0 255.255.255.0 inside any
static translation to 192.14.14.0
translate_hits = 0, untranslate_hits = 7
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd81efe50, priority=5, domain=host, deny=false
hits=7, user_data=0xd81efb68, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 192.15.15.20 www det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.15.15.0 255.255.255.0 outside_old
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ee740, priority=12, domain=permit, deny=false
hits=7, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 172.16.0.0 255.255.252.0 outside_old 192.15.15.0 255.255.255.0
NAT exempt
translate_hits = 3, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ea858, priority=6, domain=nat-exempt, deny=false
hits=3, user_data=0xd81ea798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.255.252.0, port=0
dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside_old any
dynamic translation to pool 10 (62.253.200.159 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ec360, priority=1, domain=nat, deny=false
hits=3, user_data=0xd81ec2a0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81eb6a8, priority=1, domain=host, deny=false
hits=35, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd820c318, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0xd820be50, reverse, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.255.252.0, port=0
dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside_old
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)# sh xlate
2 in use, 4 most used
Global 192.14.14.0 Local 172.16.0.0
Global 192.14.14.0 Local 172.16.0.0
ASKER
lrmoore; thanks for your suggestions. There should be a system to place bets on who will bite on a question -- I'd make a fortune!! ;-)
>> You are correct that the packet trace tool can only do so much if the vpn is not actually "UP".
I had hoped this was the case -- I was pulling my hair out trying to find a 'configured rule' that caused the acl-drop. Is it fair to assume that, given that the packet-trace reached the VPN phase, that "normal" VPN logic is going to take over once the physical network is in place?
>> And because the subnet masks do not match you cannot do static network nat
You are right that the subnets do not match; I am moving from a /24 to a /22 mask. During the transition, I am intending to match 192.14.14.xxx to 172.16.0.xxx, however, so I think it should be possible to static NAT just this subset, shouldn't it?
>> static (inside,outside_old) 172.16.0.0 172.16.0.0 netmask 255.255.252.0 access-list NO_INSIDE
>> static (inside,outside_old) 172.16.0.0 192.14.14.0 netmask 255.255.255.0 access-list NO_INSIDE2
I'm not seeing a variant of static that accepts an access-list parameter. Is this a recent thing? I am running v8.2(2), which I understand is the latest version that is supported on my ASA5505, given its 256MB memory.
As such, might the following work?
access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.255.0 192.15.15.0 255.255.255.0
access-list N0_INSIDE extended permit ip 192.14.14.0 255.255.255.0 192.15.15.0 255.255.255.0
access-list VPN_GATESHEAD1 remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD1 extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
access-list VPN_GATESHEAD2 remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD2 extended permit ip 192.14.14.0 255.255.255.0 192.15.15.0 255.255.255.0
nat (inside) 0 access-list N0_INSIDE
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
crypto map CM_OUTOLD 10 match address VPN_GATESHEAD1
crypto map CM_OUTOLD 10 set peer 82.x.x.219
!...
crypto map CM_OUTOLD 20 match address VPN_GATESHEAD2
crypto map CM_OUTOLD 20 set peer 82.x.x.219
!...
I guess my question is as much to do with the order in which statements are processed than anything else: Does a static translation apply to inbound traffic from the VPN on outside_old, or does it only apply to plain (non-crypto) traffic?
I expect it would make more sense for the device at the other office to do the translation from 192.14.14.0/24 to 172.16.0.0/24 before coming down the VPN, but it is just a SOHO device and has no support for one-to-one NAT (and no support for NAT-then-VPN, only NAT-or-VPN).
>> You are correct that the packet trace tool can only do so much if the vpn is not actually "UP".
I had hoped this was the case -- I was pulling my hair out trying to find a 'configured rule' that caused the acl-drop. Is it fair to assume that, given that the packet-trace reached the VPN phase, that "normal" VPN logic is going to take over once the physical network is in place?
>> And because the subnet masks do not match you cannot do static network nat
You are right that the subnets do not match; I am moving from a /24 to a /22 mask. During the transition, I am intending to match 192.14.14.xxx to 172.16.0.xxx, however, so I think it should be possible to static NAT just this subset, shouldn't it?
>> static (inside,outside_old) 172.16.0.0 172.16.0.0 netmask 255.255.252.0 access-list NO_INSIDE
>> static (inside,outside_old) 172.16.0.0 192.14.14.0 netmask 255.255.255.0 access-list NO_INSIDE2
I'm not seeing a variant of static that accepts an access-list parameter. Is this a recent thing? I am running v8.2(2), which I understand is the latest version that is supported on my ASA5505, given its 256MB memory.
As such, might the following work?
access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.255.0 192.15.15.0 255.255.255.0
access-list N0_INSIDE extended permit ip 192.14.14.0 255.255.255.0 192.15.15.0 255.255.255.0
access-list VPN_GATESHEAD1 remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD1 extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
access-list VPN_GATESHEAD2 remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD2 extended permit ip 192.14.14.0 255.255.255.0 192.15.15.0 255.255.255.0
nat (inside) 0 access-list N0_INSIDE
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
crypto map CM_OUTOLD 10 match address VPN_GATESHEAD1
crypto map CM_OUTOLD 10 set peer 82.x.x.219
!...
crypto map CM_OUTOLD 20 match address VPN_GATESHEAD2
crypto map CM_OUTOLD 20 set peer 82.x.x.219
!...
I guess my question is as much to do with the order in which statements are processed than anything else: Does a static translation apply to inbound traffic from the VPN on outside_old, or does it only apply to plain (non-crypto) traffic?
I expect it would make more sense for the device at the other office to do the translation from 192.14.14.0/24 to 172.16.0.0/24 before coming down the VPN, but it is just a SOHO device and has no support for one-to-one NAT (and no support for NAT-then-VPN, only NAT-or-VPN).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>nat (inside) 0 access-list N0_INSIDE
Should not be "0" because you are conditionally natting, not bypassing nat.
And because the subnet masks do not match you cannot do static network nat.
I would try something like this instead:
access-list N0_INSIDE2 extended permit ip 192.14.14.0 255.255.250.0 192.15.15.0 255.255.255.0
no nat (inside) 0 access-list N0_INSIDE
static (inside,outside_old) 172.16.0.0 172.16.0.0 netmask 255.255.252.0 access-list NO_INSIDE
static (inside,outside_old) 172.16.0.0 192.14.14.0 netmask 255.255.255.0 access-list NO_INSIDE2
Now either way, all traffic going from either 192.14.14 or 172.16.0 is going to be natted to 172.16.0.0 and match the vpn acl.
I must say that I've never seen hairpinning used for this purpose, but if it works, I'll sure keep it in mind.
You are correct that the packet trace tool can only do so much if the vpn is not actually "UP". It has to fail if the tunnel is not actually established.