-1

Have created a tunnel between 10.x.y.z network and 122.a.b.c ..the tunnel is up and active, but when I try the packet tracer output ..I get the ACTION as drop. I have also enabled same-security-traffic permit intra-interface. Can someone help me what does this drop mean?

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Packet Tracer output

@Shane Madden: please find below the packet tracer output. 

CASA5K-A#
CASA5K-A# config t
CASA5K-A(config)# packet-tracer input inside tcp 10.x.y.112 0 122.a.b.c 0

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

CASA5K-A(config)#

========================================================================

The access-group are as follows :

access-group acl-inbound in interface outside access-group acl-outbound in interface inside and

the access-list's are
access-list acl-inbound extended permit tcp any any gt 1023 access-list acl-outbound extended permit ip object-group net-Source object net-dest

+===================================================================================

@SHANEMADDEN : I see the hitcount on the acl-outbound to be increased..but i still see the packet tracer ACTION to be Dropped :(

Community
  • 1
ghp
  • 1
  • 1
  • 3
  • This is of very urgent ...any help is greatly appreciated. Thanks in advance. – ghp Jun 27 '12 at 16:02
  • Can you post some of your config? – ewwhite Jun 27 '12 at 16:06
  • @peter !! , I see the tunnel active, here's what I have configured for the tunnel using CLI, *** SOURCE & DEST objects *** object-group network net-Source network-object 10.xx.yy.0 255.255.248.0 network-object 10.aa.bb.0 255.255.255.0 object network net-dest host 122.i.p.q **** allowing intersted traffic on the tunnel *** access-list VPN-TUNNEL extended permit ip object-group net-Source object net-dest ***** the NAT EXEMPTION **** nat (inside,outside) source static net-Source net-Source destination static net-dest net-dest – ghp Jun 27 '12 at 17:49
  • @ghp Can you provide the full `packet-tracer` output, as well as the relevant (VPN and NAT) portions of your configuration? Edit your question instead of adding them as comments, since the comments don't all the kind of formatting needed. – Shane Madden Jun 27 '12 at 18:22
  • @ShaneMadden : Have edited my question..with the packet tracer output. – ghp Jun 27 '12 at 20:17
  • @ghp It's not making it as far as the VPN - the traffic isn't being allowed through the interface ACL. What's your `access-group` for the inside and outside interfaces look like, and the related access lists? – Shane Madden Jun 27 '12 at 20:33
  • The access-group are as follows : – ghp Jun 27 '12 at 20:41
  • @Shane Madden: Have added the access-group details in the question ... thanks for your time, your help is much appreciated and anticiapting a solution. Thanks – ghp Jun 27 '12 at 20:47
  • @ShaneMadden: Have added the access-group details in the question ... thanks for your time, your help is much appreciated and anticiapting a solution. Thanks – ghp Jun 27 '12 at 20:56
  • @ghp What are those object groups defined as in the `acl-outbound` ACL? `net-Source` and `net-dest` - what addresses or ranges are included there? – Shane Madden Jun 27 '12 at 20:59
  • @ShaneMadden: *** SOURCE & DEST objects *** object-group network net-Source network-object 10.xx.yy.0 255.255.248.0 network-object 10.aa.bb.0 255.255.255.0 object network net-dest host 122.i.p.q – ghp Jun 27 '12 at 21:05
  • the net-source is my lan network, and the net-dest is the peer on the other end of the tunnel. – ghp Jun 27 '12 at 21:06
  • ON my firewall ASA-5520,this source and destination objects... I have allowed these traffic on the tunnel thorugh the access-list VPN-TUNNEL, and also exempted the traffic from natting as follows : **** allowing intersted traffic on the tunnel *** access-list VPN-TUNNEL extended permit ip object-group net-Source object net-dest ***** the NAT EXEMPTION **** nat (inside,outside) source static net-Source net-Source destination static net-dest net-dest – ghp Jun 27 '12 at 21:11
  • @ghp Does the `acl-outbound` line have a non-zero hit counter when you check `show access-list`? Verify that the addresses you're setting in your `packet-tracer` are within those object groups; the traffic isn't getting through that ACL. Also, try configuring a second line on the outbound ACL so that we can confirm the right ACL is being used. Set `access-list acl-outbound extended deny ip any any` then re-run the `packet-tracer`. – Shane Madden Jun 27 '12 at 21:30

1 Answers1

2

The typical issue with Cisco L2L VPNs tends to be tied to setting NAT exemption rules for your "interesting" traffic. Did you verify that the tunnel is up via sh ipsec sa and sh isakmp sa? Are you using the CLI only, or did you setup the tunnel via the ASDM?

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • object-group network net-Source network-object 10.xx.yy.0 255.255.248.0 network-object 10.aa.bb.0 255.255.255.0 – ghp Jun 27 '12 at 17:39
  • ! , I see the tunnel active, here's what I have configured for the tunnel using CLI, *** SOURCE & DEST objects *** object-group network net-Source network-object 10.xx.yy.0 255.255.248.0 network-object 10.aa.bb.0 255.255.255.0 object network net-dest host 122.i.p.q **** allowing intersted traffic on the tunnel *** access-list VPN-TUNNEL extended permit ip object-group net-Source object net-dest ***** the NAT EXEMPTION **** nat (inside,outside) source static net-Source net-Source destination static net-dest net-dest – ghp Jun 27 '12 at 17:50
  • The crypto ACL for the tunnel is also allowed.crypto map outside_map_tunnel 20 match address VPN-TUNNEL ...Im just banging my head ..what is the ACTION :DROP. – ghp Jun 27 '12 at 18:01
  • @ghp, he didn't mention the object-group or tunnel ACL. He said the NAT ACL, check it. – Chris S Jun 27 '12 at 18:48