Kawaii,
Are allow your access-list for the S2S based on port access or access based
on ip ?
Please attach a sanitized configuration of both devices and we should be
able to resolve this issue for you.
On Wed, Mar 16, 2011 at 8:09 PM, kawaii mak <kawaii00mak_at_gmail.com> wrote:
> Dear Ryan, Prof, and all,
>
> Seems packet can't through outside the ASA5520 by packet-tracer and action
> drop in last step. Is anything wrong in configuration ??
> P'se help !!! Thank you very much!!!!
>
>
> ASAFW/pri/act# packet-tracer input inside icmp 10.194.0.56 8 0
> 192.168.1.100 det
>
> Phase: 1
> Type: ACCESS-LIST
> Subtype:
> Result: ALLOW
> Config:
> Implicit Rule
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba30e8, priority=1, domain=permit, deny=false
> hits=4889947683, user_data=0x0, cs_id=0x0, l3_type=0x8
> src mac=0000.0000.0000, mask=0000.0000.0000
> dst mac=0000.0000.0000, mask=0100.0000.0000
>
> Phase: 2
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 3
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 192.168.1.100 255.255.255.255 outside
>
> Phase: 4
> Type: ACCESS-LIST
> Subtype: log
> Result: ALLOW
> Config:
> access-group from-inside-to-internet in interface inside
> access-list from-inside-to-internet extended permit icmp any any
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x742ac240, priority=12, domain=permit, deny=false
> hits=284, user_data=0x6d7d4540, cs_id=0x0, flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 5
> Type: IP-OPTIONS
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba5708, priority=0, domain=inspect-ip-options, deny=true
> hits=78903994, user_data=0x0, cs_id=0x0, reverse, flags=0x0,
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 6
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> in id=0x73ba5380, priority=66, domain=inspect-icmp-error, deny=false
> hits=298, user_data=0x73ba5268, cs_id=0x0, use_real_addr,
> flags=0x0, protocol=1
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
>
> Phase: 7
> Type: ACCESS-LIST
> Subtype: vpn-user
> Result: DROP
> Config:
> Additional Information:
> Forward Flow based lookup yields rule:
> out id=0x73298b68, priority=11, domain=vpn-user, deny=true
> hits=3918, user_data=0x6d7d4c40, filter_id=0x0(-implicit deny-),
> protocol=0
> src ip=0.0.0.0, mask=0.0.0.0, port=0
> dst ip=0.0.0.0, mask=0.0.0.0, port=0
>
> Result:
> input-interface: inside
> input-status: up
> input-line-status: up
> output-interface: outside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
>
>
> 2011/3/17 Ryan West <rwest_at_zyedge.com>
>
>> Prof is right, I read that wrong this AM. If it�s not routing from the
>> ASA / internal network, it�s probably a no NAT issue.
>>
>>
>>
>> Try �packet-tracer input inside icmp 10.194.0.56 8 0 192.168.1.100 det�
>> and see if it�s failing any of the steps (ACL or NAT). You may need to
run
>> the command twice if it makes it to the tunnel step.
>>
>>
>>
>> -ryan
>>
>>
>>
>> *From:* Mad_Prof [mailto:dr3d3m3nt0_at_gmail.com]
>> *Sent:* Wednesday, March 16, 2011 3:35 PM
>> *To:* Ryan West
>> *Cc:* Abiola Jewoola; kawaii mak; Cisco certification
>>
>> *Subject:* Re: ASA FW site-to-site vpn setup with Netscreen FW
>>
>>
>>
>> The ASA is not returning any traffic and Phase 2 has formed correctly.
>> Verify if the address local to the ASA's network knows how to route back
>> to ASA.
>>
>>
>>
>>
>>
>> On Wed, Mar 16, 2011 at 4:42 AM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>> I'm a little rusty on netscreen, but it looks like you have your proxies
>> matching, but you might be missing a route on the netscreen. Are you
doing
>> route/tunnel interface mode on your netscreen or policy based? If it's
>> route based, what does 'get vpn' and 'get route' show?
>>
>> You can use 'set ffilters src-ip=' and 'debug flow basic' and 'get db
>> stream' to see if it's hitting the crypto engine on the netscreen.
>>
>> Sent from handheld
>>
>>
>> On Mar 16, 2011, at 7:11 AM, "Abiola Jewoola" <biola_y2k_at_yahoo.com>
>> wrote:
>>
>> > Are u doing any NAT stuff on your ASA?
>> >
>> > --- On Wed, 3/16/11, Mad_Prof <dr3d3m3nt0_at_gmail.com> wrote:
>> >
>> > From: Mad_Prof <dr3d3m3nt0_at_gmail.com>
>> > Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
>> > To: "kawaii mak" <kawaii00mak_at_gmail.com>
>> > Cc: "Cisco certification" <ccielab_at_groupstudy.com>
>> > Date: Wednesday, March 16, 2011, 2:17 AM
>> >
>> > Compare the output of these commands :
>> >
>> > Netscreen
>> > get sa
>> > get sa id xxx
>> >
>> >
>> > ASA
>> > show crypto ipsec sa peer x.x.x.x
>> >
>> >
>> > This should be enough if Phase 2 is formed.
>> >
>> >
>> >
>> >
>> > On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com>
>> wrote:
>> >
>> >> Dear Expert,
>> >> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to
>> connect
>> >> a Netscreen SSG20 for Site-to-Site VPN tunnel.
>> >> Tunnel negotiation was completed Phase1 & Phase2. Private traffic
>> initiated
>> >> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems
>> there is
>> >> unreachable. And some of message occurs in ASA while packet return back
>> >> from
>> >> Netscreen side as follow. Is anything wrong in configuration to triggle
>> for
>> >> these message????
>> >> P'se help!!! Thank.
>> >>
>> >> firewall log
>> >> ==============
>> >> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
>> >> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
>> >> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
>> >> policy in the SA. The packet specifies its destination as 203.x.x.x,
>> its
>> >> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
>> >> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
>> >> 192.168.x.x/
>> >> 255.255.255.255/0/0.
>> >>
>> >> Regards,
>> >> Kawaii
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > It is said that if you know your enemies and know yourself, you will not
>> be
>> > imperiled in a hundred battles; if you do not know your enemies but do
>> know
>> > yourself, you will win one and lose one; if you do not know your enemies
>> nor
>> > yourself, you will be imperiled in every single battle.
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>> --
>> It is said that if you know your enemies and know yourself, you will not
>> be imperiled in a hundred battles; if you do not know your enemies but do
>> know yourself, you will win one and lose one; if you do not know your
>> enemies nor yourself, you will be imperiled in every single battle.
>>
>>
>
--
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles; if you do not know your enemies but do know
yourself, you will win one and lose one; if you do not know your enemies nor
yourself, you will be imperiled in every single battle.
Blogs and organic groups at http://www.ccie.net
Received on Wed Mar 16 2011 - 21:07:01 ART