+ Reply to Thread
Results 1 to 10 of 10
  1. Junior Member Registered Member
    Join Date
    Jul 2015
    Posts
    6
    #1

    Default flow is denied by configured rule (acl-drop)

    Hii everyone, I have site to site VPN setup from Branch office to an asa in DC(remote location). Tunnel is formed and VPN is up, only some of the machines in our Branch office are able to use VPN. When I did packet tracer on outside interface, I found the following flow is denied by configured rule (acl-drop). Please I need your advise.

    Thanks!!
    Reply With Quote Quote  

  2. SS -->
  3. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,556

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #2
    Does it have a max number of connections set somewhere?
    Reply With Quote Quote  

  4. Padawan d4nz1g's Avatar
    Join Date
    May 2013
    Location
    Brazil
    Posts
    417

    Certifications
    CCNP, BCNE, CCNA, CCNA Sec, MCSA2k8, IPv6 Silver
    #3
    Post your config so we can assist you on this one
    2017 - CCIE RS
    Labbing, labbing, labbing.
    Reply With Quote Quote  

  5. Junior Member Registered Member
    Join Date
    Jul 2015
    Posts
    6
    #4
    No, I did not set any connection limit.
    Reply With Quote Quote  

  6. Junior Member Registered Member
    Join Date
    Jul 2015
    Posts
    6
    #5

    Default configuration

    Avni-Networks(config)# sh run
    : Saved
    :
    ASA Version 9.1(1)
    !
    hostname Avni-Networks
    enable password
    passwd
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address X.X.X.X 255.255.255.248
    !
    interface Ethernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.2 255.255.255.0
    !
    ftp mode passive
    object network Local_Lan
    subnet 192.168.1.0 255.255.255.0
    object network DC_Lan
    subnet 10.1.12.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_1
    network-object 10.1.0.0 255.255.224.0
    network-object object DC_Lan
    object-group service Allowed_Ports tcp
    port-object eq www
    port-object eq https
    port-object range ftp telnet
    port-object range 9000 9999
    access-list Lan-Lan extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.224.0
    access-list Lan_Outside extended permit icmp any 10.1.0.0 255.255.224.0
    access-list Lan_Outside extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.224.0 object-group Allowed_Ports
    access-list InsideToOutside_FromInsideIf extended permit icmp 192.168.1.0 255.255.255.0 any
    access-list InsideToOutside_FromInsideIf extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.224.0 object-group Allowed_Ports
    pager lines 24
    logging buffer-size 10000
    logging console debugging
    mtu management 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711-52.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (management,outside) source static Local_Lan Local_Lan destination static DC_Lan DC_Lan
    access-group InsideToOutside_FromInsideIf in interface management
    access-group Lan_Outside out interface outside
    route outside 0.0.0.0 0.0.0.0 xxxx 1
    route outside 10.1.0.0 255.255.224.0 xxxx 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto map vpnmap 1 match address Lan-Lan
    crypto map vpnmap 1 set peer xxxx
    crypto map vpnmap 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map vpnmap interface outside
    crypto ca trustpool policy
    crypto isakmp identity address
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto ikev1 policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 management
    ssh timeout 30
    ssh version 2
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy GroupPolicy_xxxx internal
    group-policy GroupPolicy_xxxx attributes
    vpn-tunnel-protocol ikev1
    username avniadmin password oyUYKZXvk1Ck2rYS encrypted privilege 15
    tunnel-group xxxx type ipsec-l2l
    tunnel-group xxxx general-attributes
    default-group-policy GroupPolicy_xxxx
    tunnel-group xxxx ipsec-attributes
    ikev1 pre-shared-key *****
    !
    class-map icmp-map
    match default-inspection-traffic
    class-map inspection-default
    match default-inspection-traffic
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global-policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
    inspect ipsec-pass-thru
    inspect icmp
    policy-map icmp-policy
    class icmp-map
    inspect http
    inspect icmp
    !
    service-policy global-policy global
    service-policy icmp-policy interface outside
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/...es/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:73de74061a5e4f21fab33715ea87da24
    : end
    Last edited by yashh; 07-25-2015 at 08:53 AM.
    Reply With Quote Quote  

  7. Junior Member Registered Member
    Join Date
    Jul 2015
    Posts
    6
    #6
    Yes, I did but it is in waiting list for moderators confirmation.
    Reply With Quote Quote  

  8. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,556

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #7
    Quote Originally Posted by yashh View Post
    No, I did not set any connection limit.
    On the server as well? On the actual server there could be a remote connections limit set.
    Reply With Quote Quote  

  9. Junior Member Registered Member
    Join Date
    Jul 2015
    Posts
    6
    #8
    No. there is no sever in this picture.
    Reply With Quote Quote  

  10. Padawan d4nz1g's Avatar
    Join Date
    May 2013
    Location
    Brazil
    Posts
    417

    Certifications
    CCNP, BCNE, CCNA, CCNA Sec, MCSA2k8, IPv6 Silver
    #9
    Double check your encryption domains and NAT statements.
    2017 - CCIE RS
    Labbing, labbing, labbing.
    Reply With Quote Quote  

  11. Junior Member Registered Member
    Join Date
    Jul 2015
    Posts
    6
    #10
    Now all the machines are able to connect to VPN after adding an ACL on outside interface in 'out' direction; access-list XXX ext permit icmp 192.168.1.0/24 10.1.0.0/19. But my doubt is, I have added inspect icmp to policymap on interface and global too, it allow all the machines, but after adding the above acl, all machines are being allowed. Where do you guys think, I am going wrong??
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks