[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA 5520/5505 VPN tunnel up, but not passing traffic

Posted on 2012-12-20
6
Medium Priority
?
2,115 Views
Last Modified: 2013-01-05
Hello experts!

I have a 5520 in the core, and a 5505 in the field (currently the only peer).   172.18.4.0/24 is a n Ethernet hop into the core network, which is 10.1.x.x.  Other networks directly connected to the core are 10.4.0.0/16, etc.  The remote LAN connected to the 5505 is 10.6.0.0/16.   There is a tunnel up between them but no traffic is flowing.  There is no NAT’ing on the core 5520, but the 5505 does NAT for local Internet access.

Packet tracing in ASDM yields “Flow denied by configured rule”, and points toward the implicit deny on the inside ACL.  I have been over and over the crypto maps, and those match perfectly.  I’m pretty sure the NAT exempt rules are configured correctly.  Can you please help me diagnose this problem?


---HQ LOCATION---
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 12.12.12.196 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.18.4.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 172.18.4.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.6.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 64.64.64.115 any
access-list outside_access_in extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 12.12.12.129 1
route inside 10.1.0.0 255.255.0.0 172.18.4.1 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs
crypto map outside_map2 1 set peer 64.64.64.115
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FLT-GroupPolicy internal
group-policy FLT-GroupPolicy attributes
 vpn-tunnel-protocol IPSec
username backup password Saxs0hwa830QwQou encrypted privilege 15
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group 64.64.64.115 type ipsec-l2l
tunnel-group 64.64.64.115 general-attributes
 default-group-policy FLT-GroupPolicy
tunnel-group 64.64.64.115 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

  inspect ip-options
!
service-policy global_policy global



-----REMOTE SIDE-----

interface Vlan1
nameif inside
security-level 100
ip address 10.6.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.64.64.115 255.255.255.240
!
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 172.18.4.0
255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 2
55.0.0.0
access-list outside_access_in extended permit ip host 12.12.12.196 any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 172.18.
4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.
0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 64.64.64.121 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.6.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.64.64.113 1

dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.6.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set pfs
crypto map outside_map3 1 set peer 12.12.12.196
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 1 set reverse-route
crypto map outside_map3 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ITO-GrpPolicy internal
group-policy ITO-GrpPolicy attributes
vpn-tunnel-protocol IPSec
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group 12.12.12.196 type ipsec-l2l
tunnel-group 12.12.12.196 general-attributes
default-group-policy ITO-GrpPolicy
tunnel-group 12.12.12.196 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns preset_dns_map
 …
 inspect xdmcp
!
service-policy global_policy global
prompt hostname context
0
Comment
Question by:David Blair
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38711930
I don't see any nat rules on the core ASA. Also, on the remote asa your nonat rules make sense except the last acl line.
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0


That line will never match because traffic will never hit the inside interface of that asa with a source of 172.18.4.0/24, rather only a destination. This acl line doesn't hurt anything, but it doesn't help.

At a quick glance everything else looks fine with the exception of the nat rules (or lack thereof) on the core side. Both sides need nonat rules.
0
 
LVL 1

Author Comment

by:David Blair
ID: 38713195
Okay.  I figured since there was no NAT occurring on the core that those commands were not needed.  I added NAT exclusions to the core, and also removed the unnecessary line from the branch 5505.

Still, a packet trace on the branch ASA (ICMP from 10.6.0.1 to 172.18.4.1, for instance) shows packets dropped by a configured rule.  That rule appears to be the implicit deny on the inside ACL.

Ideas?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38713258
Hmm... not exactly sure, but at this point it appears you have no acl at all on the inside interface on the remote side as well as the core side. This means that traffic will be allowed based on security level rules only - high can go to low. As a quick test you could make an acl that is a simple 'permit ip any any' and apply it to the inside interface. If this doesn't correct the issue then it's not really an ACL rule that's causing the issue. Possibly a nat or inspection rule.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 3

Expert Comment

by:jwil320
ID: 38725550
enable isakmp traversal on both asa's

crypto isakmp nat-traversal
0
 
LVL 1

Accepted Solution

by:
David Blair earned 0 total points
ID: 38732566
I had to call Cisco in on this one.  They did something on both ends to correct the problem, not exactly sure what was performed.
0
 
LVL 1

Author Closing Comment

by:David Blair
ID: 38746450
Called Cisco support and had them fix the issue.
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question