Solved

ASA 5520/5505 VPN tunnel up, but not passing traffic

Posted on 2012-12-20
6
2,054 Views
Last Modified: 2013-01-05
Hello experts!

I have a 5520 in the core, and a 5505 in the field (currently the only peer).   172.18.4.0/24 is a n Ethernet hop into the core network, which is 10.1.x.x.  Other networks directly connected to the core are 10.4.0.0/16, etc.  The remote LAN connected to the 5505 is 10.6.0.0/16.   There is a tunnel up between them but no traffic is flowing.  There is no NAT’ing on the core 5520, but the 5505 does NAT for local Internet access.

Packet tracing in ASDM yields “Flow denied by configured rule”, and points toward the implicit deny on the inside ACL.  I have been over and over the crypto maps, and those match perfectly.  I’m pretty sure the NAT exempt rules are configured correctly.  Can you please help me diagnose this problem?


---HQ LOCATION---
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 12.12.12.196 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.18.4.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 172.18.4.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.6.0.0 255.255.0.0
access-list outside_access_in extended permit ip host 64.64.64.115 any
access-list outside_access_in extended permit icmp any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 12.12.12.129 1
route inside 10.1.0.0 255.255.0.0 172.18.4.1 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs
crypto map outside_map2 1 set peer 64.64.64.115
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set reverse-route
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FLT-GroupPolicy internal
group-policy FLT-GroupPolicy attributes
 vpn-tunnel-protocol IPSec
username backup password Saxs0hwa830QwQou encrypted privilege 15
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group 64.64.64.115 type ipsec-l2l
tunnel-group 64.64.64.115 general-attributes
 default-group-policy FLT-GroupPolicy
tunnel-group 64.64.64.115 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map

  inspect ip-options
!
service-policy global_policy global



-----REMOTE SIDE-----

interface Vlan1
nameif inside
security-level 100
ip address 10.6.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.64.64.115 255.255.255.240
!
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 172.18.4.0
255.255.255.0
access-list outside_cryptomap extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 2
55.0.0.0
access-list outside_access_in extended permit ip host 12.12.12.196 any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 172.18.
4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.
0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 64.64.64.121 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.6.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.64.64.113 1

dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.6.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set pfs
crypto map outside_map3 1 set peer 12.12.12.196
crypto map outside_map3 1 set transform-set ESP-3DES-SHA
crypto map outside_map3 1 set reverse-route
crypto map outside_map3 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ITO-GrpPolicy internal
group-policy ITO-GrpPolicy attributes
vpn-tunnel-protocol IPSec
username admin password 85UF/HTq2OEoPvjy encrypted privilege 15
tunnel-group 12.12.12.196 type ipsec-l2l
tunnel-group 12.12.12.196 general-attributes
default-group-policy ITO-GrpPolicy
tunnel-group 12.12.12.196 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns preset_dns_map
 …
 inspect xdmcp
!
service-policy global_policy global
prompt hostname context
0
Comment
Question by:David Blair
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
I don't see any nat rules on the core ASA. Also, on the remote asa your nonat rules make sense except the last acl line.
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.0 10.
6.0.0 255.255.0.0


That line will never match because traffic will never hit the inside interface of that asa with a source of 172.18.4.0/24, rather only a destination. This acl line doesn't hurt anything, but it doesn't help.

At a quick glance everything else looks fine with the exception of the nat rules (or lack thereof) on the core side. Both sides need nonat rules.
0
 
LVL 1

Author Comment

by:David Blair
Comment Utility
Okay.  I figured since there was no NAT occurring on the core that those commands were not needed.  I added NAT exclusions to the core, and also removed the unnecessary line from the branch 5505.

Still, a packet trace on the branch ASA (ICMP from 10.6.0.1 to 172.18.4.1, for instance) shows packets dropped by a configured rule.  That rule appears to be the implicit deny on the inside ACL.

Ideas?
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Hmm... not exactly sure, but at this point it appears you have no acl at all on the inside interface on the remote side as well as the core side. This means that traffic will be allowed based on security level rules only - high can go to low. As a quick test you could make an acl that is a simple 'permit ip any any' and apply it to the inside interface. If this doesn't correct the issue then it's not really an ACL rule that's causing the issue. Possibly a nat or inspection rule.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:jwil320
Comment Utility
enable isakmp traversal on both asa's

crypto isakmp nat-traversal
0
 
LVL 1

Accepted Solution

by:
David Blair earned 0 total points
Comment Utility
I had to call Cisco in on this one.  They did something on both ends to correct the problem, not exactly sure what was performed.
0
 
LVL 1

Author Closing Comment

by:David Blair
Comment Utility
Called Cisco support and had them fix the issue.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now