90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!
Solved
ASA 5520/5505 VPN tunnel up, but not passing traffic
Posted on 2012-12-20
Hello experts!
I have a 5520 in the core, and a 5505 in the field (currently the only peer). 172.18.4.0/24 is a n Ethernet hop into the core network, which is 10.1.x.x. Other networks directly connected to the core are 10.4.0.0/16, etc. The remote LAN connected to the 5505 is 10.6.0.0/16. There is a tunnel up between them but no traffic is flowing. There is no NAT’ing on the core 5520, but the 5505 does NAT for local Internet access.
Packet tracing in ASDM yields “Flow denied by configured rule”, and points toward the implicit deny on the inside ACL. I have been over and over the crypto maps, and those match perfectly. I’m pretty sure the NAT exempt rules are configured correctly. Can you please help me diagnose this problem?
---HQ LOCATION---
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.12.12.196 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.4.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 172.18.4.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.6.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 64.64.64.115 any
access-list outside_access_in extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 12.12.12.129 1
route inside 10.1.0.0 255.255.0.0 172.18.4.1 1
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs
crypto map outside_map2 1 set peer 64.64.64.115
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FLT-GroupPolicy internal
group-policy FLT-GroupPolicy attributes
vpn-tunnel-protocol IPSec
username backup password Saxs0hwa830QwQou encrypted privilege 15
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group 64.64.64.115 type ipsec-l2l
tunnel-group 64.64.64.115 general-attributes
default-group-policy FLT-GroupPolicy
tunnel-group 64.64.64.115 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect ip-options
!
service-policy global_policy global
-----REMOTE SIDE-----
interface Vlan1
nameif inside
security-level 100
ip address 10.6.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.64.64.115 255.255.255.240
!
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 172.18.4.0
255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 2
55.0.0.0
access-list outside_access_in extended permit ip host 12.12.12.196 any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 172.18.
4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.
0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 64.64.64.121 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.6.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.64.64.113 1
…
dynamic-access-policy-reco
aaa authentication telnet console LOCAL
http server enable
http 10.6.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
…
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set pfs
crypto map outside_map3 1 set peer 12.12.12.196
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 1 set reverse-route
crypto map outside_map3 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
…
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ITO-GrpPolicy internal
group-policy ITO-GrpPolicy attributes
vpn-tunnel-protocol IPSec
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group 12.12.12.196 type ipsec-l2l
tunnel-group 12.12.12.196 general-attributes
default-group-policy ITO-GrpPolicy
tunnel-group 12.12.12.196 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
I have a 5520 in the core, and a 5505 in the field (currently the only peer). 172.18.4.0/24 is a n Ethernet hop into the core network, which is 10.1.x.x. Other networks directly connected to the core are 10.4.0.0/16, etc. The remote LAN connected to the 5505 is 10.6.0.0/16. There is a tunnel up between them but no traffic is flowing. There is no NAT’ing on the core 5520, but the 5505 does NAT for local Internet access.
Packet tracing in ASDM yields “Flow denied by configured rule”, and points toward the implicit deny on the inside ACL. I have been over and over the crypto maps, and those match perfectly. I’m pretty sure the NAT exempt rules are configured correctly. Can you please help me diagnose this problem?
---HQ LOCATION---
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.12.12.196 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.4.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 172.18.4.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.6.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 64.64.64.115 any
access-list outside_access_in extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 12.12.12.129 1
route inside 10.1.0.0 255.255.0.0 172.18.4.1 1
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs
crypto map outside_map2 1 set peer 64.64.64.115
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FLT-GroupPolicy internal
group-policy FLT-GroupPolicy attributes
vpn-tunnel-protocol IPSec
username backup password Saxs0hwa830QwQou encrypted privilege 15
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group 64.64.64.115 type ipsec-l2l
tunnel-group 64.64.64.115 general-attributes
default-group-policy FLT-GroupPolicy
tunnel-group 64.64.64.115 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect ip-options
!
service-policy global_policy global
-----REMOTE SIDE-----
interface Vlan1
nameif inside
security-level 100
ip address 10.6.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.64.64.115 255.255.255.240
!
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 172.18.4.0
255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 2
55.0.0.0
access-list outside_access_in extended permit ip host 12.12.12.196 any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 172.18.
4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.
0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 64.64.64.121 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.6.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.64.64.113 1
…
dynamic-access-policy-reco
aaa authentication telnet console LOCAL
http server enable
http 10.6.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
…
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set pfs
crypto map outside_map3 1 set peer 12.12.12.196
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 1 set reverse-route
crypto map outside_map3 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
…
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ITO-GrpPolicy internal
group-policy ITO-GrpPolicy attributes
vpn-tunnel-protocol IPSec
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group 12.12.12.196 type ipsec-l2l
tunnel-group 12.12.12.196 general-attributes
default-group-policy ITO-GrpPolicy
tunnel-group 12.12.12.196 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
-
3
2
6 Comments
I don't see any nat rules on the core ASA. Also, on the remote asa your nonat rules make sense except the last acl line.
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
That line will never match because traffic will never hit the inside interface of that asa with a source of 172.18.4.0/24, rather only a destination. This acl line doesn't hurt anything, but it doesn't help.
At a quick glance everything else looks fine with the exception of the nat rules (or lack thereof) on the core side. Both sides need nonat rules.
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
That line will never match because traffic will never hit the inside interface of that asa with a source of 172.18.4.0/24, rather only a destination. This acl line doesn't hurt anything, but it doesn't help.
At a quick glance everything else looks fine with the exception of the nat rules (or lack thereof) on the core side. Both sides need nonat rules.
Okay. I figured since there was no NAT occurring on the core that those commands were not needed. I added NAT exclusions to the core, and also removed the unnecessary line from the branch 5505.
Still, a packet trace on the branch ASA (ICMP from 10.6.0.1 to 172.18.4.1, for instance) shows packets dropped by a configured rule. That rule appears to be the implicit deny on the inside ACL.
Ideas?
Still, a packet trace on the branch ASA (ICMP from 10.6.0.1 to 172.18.4.1, for instance) shows packets dropped by a configured rule. That rule appears to be the implicit deny on the inside ACL.
Ideas?
Hmm... not exactly sure, but at this point it appears you have no acl at all on the inside interface on the remote side as well as the core side. This means that traffic will be allowed based on security level rules only - high can go to low. As a quick test you could make an acl that is a simple 'permit ip any any' and apply it to the inside interface. If this doesn't correct the issue then it's not really an ACL rule that's causing the issue. Possibly a nat or inspection rule.
I had to call Cisco in on this one. They did something on both ends to correct the problem, not exactly sure what was performed.
Featured Post
Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month8 days, 13 hours left to enroll
595 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.