> Dear Ryan, Prof, and all,
>
> Seems packet can't through outside the ASA5520 by packet-tracer and action
> drop in last step. Is anything wrong in configuration ??
>
Also a denied ICMP log was overlooked before, which is occurs after
Tunnel negotiation was completed and Even no icmp traffic was generated
between both side.
P'se help !!! Thank you very much!!!!
>
>
> ASAFW/pri/act# packet-tracer input inside icmp 10.194.0.56 8 0
> 192.168.1.100 det
>
> Phase: 1
> Type: ACCESS-LIST
> Subtype:
> Result: ALLOW
> Config:
> Implicit Rule
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba30e8, priority=1, domain=permit, deny=false
> hits=4889947683, user_data=0x0, cs_id=0x0, l3_type=0x8
> src mac=0000.0000.0000, mask=0000.0000.0000
> dst mac=0000.0000.0000, mask=0100.0000.0000
>
> Phase: 2
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 3
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 192.168.1.100 255.255.255.255 outside
>
> Phase: 4
> Type: ACCESS-LIST
> Subtype: log
> Result: ALLOW
> Config:
> access-group from-inside-to-internet in interface inside
> access-list from-inside-to-internet extended permit icmp any any
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x742ac240, priority=12, domain=permit, deny=false
> hits=284, user_data=0x6d7d4540, cs_id=0x0, flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 5
> Type: IP-OPTIONS
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba5708, priority=0, domain=inspect-ip-options, deny=true
> hits=78903994, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 6
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba5380, priority=66, domain=inspect-icmp-error, deny=false
> hits=298, user_data=0x73ba5268, cs_id=0x0, use_real_addr,
> flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 7
> Type: ACCESS-LIST
> Subtype: vpn-user
> Result: DROP
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> out id=0x73298b68, priority=11, domain=vpn-user, deny=true
> hits=3918, user_data=0x6d7d4c40, filter_id=0x0(-implicit deny-),
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0
>
> Result:
> input-interface: inside
> input-status: up
> input-line-status: up
> output-interface: outside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
>
>
ASA FW log
============
4|Mar 17 2011 11:15:41|402116: IPSEC: Received an ESP packet (SPI=
0x27E0AAA0, sequence number= 0xE) from 210.177.107.18 (user= 210.177.107.18)
to 203.198.23.209. The decapsulated inner packet doesn't match the
negotiated policy in the SA. The packet specifies its destination as
203.198.23.209, its source as 210.177.107.18, and its protocol as 1. The SA
specifies its local proxy as 10.194.0.56/255.255.255.255/0/0 and its
remote_proxy as 192.168.1.100/255.255.255.255/0/0.
3|Mar 17 2011 11:15:41|313001: Denied ICMP type=8, code=0 from
210.177.107.18 on interface outside
>
> 2011/3/17 Ryan West <rwest_at_zyedge.com>
>
>> Prof is right, I read that wrong this AM. If it�s not routing from the
>> ASA / internal network, it�s probably a no NAT issue.
>>
>>
>>
>> Try �packet-tracer input inside icmp 10.194.0.56 8 0 192.168.1.100 det�
>> and see if it�s failing any of the steps (ACL or NAT). You may need to
run
>> the command twice if it makes it to the tunnel step.
>>
>>
>>
>> -ryan
>>
>>
>>
>> *From:* Mad_Prof [mailto:dr3d3m3nt0_at_gmail.com]
>> *Sent:* Wednesday, March 16, 2011 3:35 PM
>> *To:* Ryan West
>> *Cc:* Abiola Jewoola; kawaii mak; Cisco certification
>>
>> *Subject:* Re: ASA FW site-to-site vpn setup with Netscreen FW
>>
>>
>>
>> The ASA is not returning any traffic and Phase 2 has formed correctly.
>> Verify if the address local to the ASA's network knows how to route back
>> to ASA.
>>
>>
>>
>>
>>
>> On Wed, Mar 16, 2011 at 4:42 AM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>> I'm a little rusty on netscreen, but it looks like you have your proxies
>> matching, but you might be missing a route on the netscreen. Are you
doing
>> route/tunnel interface mode on your netscreen or policy based? If it's
>> route based, what does 'get vpn' and 'get route' show?
>>
>> You can use 'set ffilters src-ip=' and 'debug flow basic' and 'get db
>> stream' to see if it's hitting the crypto engine on the netscreen.
>>
>> Sent from handheld
>>
>>
>> On Mar 16, 2011, at 7:11 AM, "Abiola Jewoola" <biola_y2k_at_yahoo.com>
>> wrote:
>>
>> > Are u doing any NAT stuff on your ASA?
>> >
>> > --- On Wed, 3/16/11, Mad_Prof <dr3d3m3nt0_at_gmail.com> wrote:
>> >
>> > From: Mad_Prof <dr3d3m3nt0_at_gmail.com>
>> > Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
>> > To: "kawaii mak" <kawaii00mak_at_gmail.com>
>> > Cc: "Cisco certification" <ccielab_at_groupstudy.com>
>> > Date: Wednesday, March 16, 2011, 2:17 AM
>> >
>> > Compare the output of these commands :
>> >
>> > Netscreen
>> > get sa
>> > get sa id xxx
>> >
>> >
>> > ASA
>> > show crypto ipsec sa peer x.x.x.x
>> >
>> >
>> > This should be enough if Phase 2 is formed.
>> >
>> >
>> >
>> >
>> > On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com>
>> wrote:
>> >
>> >> Dear Expert,
>> >> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to
>> connect
>> >> a Netscreen SSG20 for Site-to-Site VPN tunnel.
>> >> Tunnel negotiation was completed Phase1 & Phase2. Private traffic
>> initiated
>> >> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems
>> there is
>> >> unreachable. And some of message occurs in ASA while packet return back
>> >> from
>> >> Netscreen side as follow. Is anything wrong in configuration to triggle
>> for
>> >> these message????
>> >> P'se help!!! Thank.
>> >>
>> >> firewall log
>> >> ==============
>> >> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
>> >> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
>> >> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
>> >> policy in the SA. The packet specifies its destination as 203.x.x.x,
>> its
>> >> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
>> >> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
>> >> 192.168.x.x/
>> >> 255.255.255.255/0/0.
>> >>
>> >> Regards,
>> >> Kawaii
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > It is said that if you know your enemies and know yourself, you will not
>> be
>> > imperiled in a hundred battles; if you do not know your enemies but do
>> know
>> > yourself, you will win one and lose one; if you do not know your enemies
>> nor
>> > yourself, you will be imperiled in every single battle.
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>> --
>> It is said that if you know your enemies and know yourself, you will not
>> be imperiled in a hundred battles; if you do not know your enemies but do
>> know yourself, you will win one and lose one; if you do not know your
>> enemies nor yourself, you will be imperiled in every single battle.
Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 17 2011 - 11:52:35 ART