Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.
Course Of The Month
4 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
ASA 5520/5505 VPN tunnel up, but not passing traffic
Posted on 2012-12-20
Hello experts!
I have a 5520 in the core, and a 5505 in the field (currently the only peer). 172.18.4.0/24 is a n Ethernet hop into the core network, which is 10.1.x.x. Other networks directly connected to the core are 10.4.0.0/16, etc. The remote LAN connected to the 5505 is 10.6.0.0/16. There is a tunnel up between them but no traffic is flowing. There is no NAT’ing on the core 5520, but the 5505 does NAT for local Internet access.
Packet tracing in ASDM yields “Flow denied by configured rule”, and points toward the implicit deny on the inside ACL. I have been over and over the crypto maps, and those match perfectly. I’m pretty sure the NAT exempt rules are configured correctly. Can you please help me diagnose this problem?
---HQ LOCATION---
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.12.12.196 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.4.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 172.18.4.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.6.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 64.64.64.115 any
access-list outside_access_in extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 12.12.12.129 1
route inside 10.1.0.0 255.255.0.0 172.18.4.1 1
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs
crypto map outside_map2 1 set peer 64.64.64.115
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FLT-GroupPolicy internal
group-policy FLT-GroupPolicy attributes
vpn-tunnel-protocol IPSec
username backup password Saxs0hwa830QwQou encrypted privilege 15
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group 64.64.64.115 type ipsec-l2l
tunnel-group 64.64.64.115 general-attributes
default-group-policy FLT-GroupPolicy
tunnel-group 64.64.64.115 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect ip-options
!
service-policy global_policy global
-----REMOTE SIDE-----
interface Vlan1
nameif inside
security-level 100
ip address 10.6.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.64.64.115 255.255.255.240
!
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 172.18.4.0
255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 2
55.0.0.0
access-list outside_access_in extended permit ip host 12.12.12.196 any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 172.18.
4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.
0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 64.64.64.121 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.6.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.64.64.113 1
…
dynamic-access-policy-reco
aaa authentication telnet console LOCAL
http server enable
http 10.6.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
…
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set pfs
crypto map outside_map3 1 set peer 12.12.12.196
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 1 set reverse-route
crypto map outside_map3 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
…
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ITO-GrpPolicy internal
group-policy ITO-GrpPolicy attributes
vpn-tunnel-protocol IPSec
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group 12.12.12.196 type ipsec-l2l
tunnel-group 12.12.12.196 general-attributes
default-group-policy ITO-GrpPolicy
tunnel-group 12.12.12.196 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
I have a 5520 in the core, and a 5505 in the field (currently the only peer). 172.18.4.0/24 is a n Ethernet hop into the core network, which is 10.1.x.x. Other networks directly connected to the core are 10.4.0.0/16, etc. The remote LAN connected to the 5505 is 10.6.0.0/16. There is a tunnel up between them but no traffic is flowing. There is no NAT’ing on the core 5520, but the 5505 does NAT for local Internet access.
Packet tracing in ASDM yields “Flow denied by configured rule”, and points toward the implicit deny on the inside ACL. I have been over and over the crypto maps, and those match perfectly. I’m pretty sure the NAT exempt rules are configured correctly. Can you please help me diagnose this problem?
---HQ LOCATION---
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.12.12.196 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.4.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 172.18.4.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.6.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 64.64.64.115 any
access-list outside_access_in extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 12.12.12.129 1
route inside 10.1.0.0 255.255.0.0 172.18.4.1 1
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs
crypto map outside_map2 1 set peer 64.64.64.115
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FLT-GroupPolicy internal
group-policy FLT-GroupPolicy attributes
vpn-tunnel-protocol IPSec
username backup password Saxs0hwa830QwQou encrypted privilege 15
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group 64.64.64.115 type ipsec-l2l
tunnel-group 64.64.64.115 general-attributes
default-group-policy FLT-GroupPolicy
tunnel-group 64.64.64.115 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect ip-options
!
service-policy global_policy global
-----REMOTE SIDE-----
interface Vlan1
nameif inside
security-level 100
ip address 10.6.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.64.64.115 255.255.255.240
!
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 172.18.4.0
255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 2
55.0.0.0
access-list outside_access_in extended permit ip host 12.12.12.196 any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 172.18.
4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.
0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 64.64.64.121 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.6.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.64.64.113 1
…
dynamic-access-policy-reco
aaa authentication telnet console LOCAL
http server enable
http 10.6.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
…
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set pfs
crypto map outside_map3 1 set peer 12.12.12.196
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 1 set reverse-route
crypto map outside_map3 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
…
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ITO-GrpPolicy internal
group-policy ITO-GrpPolicy attributes
vpn-tunnel-protocol IPSec
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group 12.12.12.196 type ipsec-l2l
tunnel-group 12.12.12.196 general-attributes
default-group-policy ITO-GrpPolicy
tunnel-group 12.12.12.196 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
…
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
2
6 Comments
I don't see any nat rules on the core ASA. Also, on the remote asa your nonat rules make sense except the last acl line.
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
That line will never match because traffic will never hit the inside interface of that asa with a source of 172.18.4.0/24, rather only a destination. This acl line doesn't hurt anything, but it doesn't help.
At a quick glance everything else looks fine with the exception of the nat rules (or lack thereof) on the core side. Both sides need nonat rules.
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
That line will never match because traffic will never hit the inside interface of that asa with a source of 172.18.4.0/24, rather only a destination. This acl line doesn't hurt anything, but it doesn't help.
At a quick glance everything else looks fine with the exception of the nat rules (or lack thereof) on the core side. Both sides need nonat rules.
Okay. I figured since there was no NAT occurring on the core that those commands were not needed. I added NAT exclusions to the core, and also removed the unnecessary line from the branch 5505.
Still, a packet trace on the branch ASA (ICMP from 10.6.0.1 to 172.18.4.1, for instance) shows packets dropped by a configured rule. That rule appears to be the implicit deny on the inside ACL.
Ideas?
Still, a packet trace on the branch ASA (ICMP from 10.6.0.1 to 172.18.4.1, for instance) shows packets dropped by a configured rule. That rule appears to be the implicit deny on the inside ACL.
Ideas?
Hmm... not exactly sure, but at this point it appears you have no acl at all on the inside interface on the remote side as well as the core side. This means that traffic will be allowed based on security level rules only - high can go to low. As a quick test you could make an acl that is a simple 'permit ip any any' and apply it to the inside interface. If this doesn't correct the issue then it's not really an ACL rule that's causing the issue. Possibly a nat or inspection rule.
I had to call Cisco in on this one. They did something on both ends to correct the problem, not exactly sure what was performed.
Featured Post
With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
WARNING:
If you follow the instructions here, you will wipe out your VTP and VLAN configurations. Make sure you have backed up your switch!!!
I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month4 days, left to enroll
Earn Certification
Cisco CCNA Collaboration: CIVND2
$197.00$177.30
Earn Certification
Cisco CCNA Security: IINS v3.0
$197.00$177.30
690 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.