1

I've been racking my brains over this one today.

I've set up a site-to-site VPN connection between my primary site (Site1) and my secondary site (Site2). Each site is using a different subnet / network range. The tunnel is up and running.

Site1 is using a WatchGuard M200. Site2 uses a Cisco ASA 5500.

Site1 subnet is: 192.168.100.0/24

Site2 subnet is: 192.168.1.0/24

I can access web pages hosted on servers at Site2 from clients at Site1. However, I am unable to access web pages hosed on servers at Site1 from clients on Site2.

When I run a test the Cisco Packet Tracer tool, it fails at the access-list section on the Outside interface.

192.168.1.3 is the IP address of a client at Site2. 192.168.100.2 is the IP address of a server hosting a simple website on port 443 at Site1.

I can see from the results of the packet tracer that the connection is being dropped due to the implicit deny rule.

The firewall access rules on the Cisco at Site2 are:

I can't work out what rule I need to add in order to allow communication from Site2 to Site1 (as opposed to just Site1 to Site2 as it is at the moment).

Any help greatly appreciated.

EDIT: ASA Config:

: Saved : : Serial Number: [HIDDEN] : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(4) ! hostname IS-49133 enable password [HIDDEN] encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd [HIDDEN] encrypted names ! interface Ethernet0/0 switchport access vlan 2 speed 100 duplex full ! interface Ethernet0/1 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif Inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif Outside security-level 0 ip address [SITE2 IP] 255.255.255.248 ! boot system disk0:/asa924-k8.bin ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 same-security-traffic permit inter-interface object network IS-49110-ipmi-p host 192.168.1.2 object network IS-49110-p host 192.168.1.3 object network IS-49109-ipmi-p host 192.168.1.4 object network IS-49109-p host 192.168.1.5 object network IS-491010-ipmi-v host [Public IP 2] object network IS-49110-v host 109.169.52.132 object network IS-49109-ipmi-v host [Public IP 3] object network IS-49109-v host [Public IP 5] object network InsideNetworkRange range 192.168.1.21 192.168.1.254 object network 192.168.1.10 host 192.168.1.10 object network 192.168.1.11 host 192.168.1.11 object network 192.168.1.12 host 192.168.1.12 object network 192.168.1.13 host 192.168.1.13 object network 192.168.1.14 host 192.168.1.14 object network [Public IP 6] host [Public IP 6] object network [Public IP 7] host [Public IP 7] object network [Public IP 8] host [Public IP 8] object network [Public IP 9] host [Public IP 9] object network [Public IP 10] host [Public IP 10] object network 192.168.1.15 host 192.168.1.15 object network [Public IP 11] host [Public IP 11] object network WG-HONetwork subnet 192.168.100.0 255.255.254.0 object network NETWORK_OBJ_192.168.1.0_24 subnet 192.168.1.0 255.255.255.0 object network NETWORK_OBJ_192.168.100.0_23 subnet 192.168.100.0 255.255.254.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network DM_INLINE_NETWORK_1 network-object host 192.168.1.4 network-object host 192.168.1.5 object-group network DM_INLINE_NETWORK_2 network-object host 192.168.1.4 network-object host 192.168.1.5 object-group network DM_INLINE_NETWORK_3 network-object host [EXT IP] network-object host [SITE1 IP] access-list basic extended permit tcp object-group DM_INLINE_NETWORK_3 any4 eq 3*** access-list basic extended permit tcp any4 any4 eq 3389 inactive access-list basic extended permit tcp host [SITE1 IP] any4 eq ssh access-list basic extended permit tcp any4 any4 eq www access-list basic extended permit tcp any4 any4 eq https access-list basic extended permit icmp any4 any4 access-list basic extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_1 eq 5*** access-list basic extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_2 eq 5*** access-list allow extended permit ip any4 any4 access-list allow extended permit icmp any4 any4 access-list Outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.254.0 pager lines 24 logging enable logging asdm informational mtu Inside 1500 mtu Outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-752-153.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (Inside,Outside) source static IS-49110-ipmi-p IS-491010-ipmi-v nat (Inside,Outside) source static IS-49110-p IS-49110-v nat (Inside,Outside) source static IS-49109-ipmi-p IS-49109-ipmi-v nat (Inside,Outside) source static IS-49109-p IS-49109-v nat (Inside,Outside) source static 192.168.1.10 [Public IP 6] nat (Inside,Outside) source static 192.168.1.11 [Public IP 7] nat (Inside,Outside) source static 192.168.1.12 [Public IP 8] nat (Inside,Outside) source static 192.168.1.13 [Public IP 9] nat (Inside,Outside) source static 192.168.1.14 [Public IP 10] nat (Inside,Outside) source static 192.168.1.15 [Public IP 11] nat (Inside,Outside) source dynamic InsideNetworkRange interface nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.100.0_23 NETWORK_OBJ_192.168.100.0_23 no-proxy-arp route-lookup access-group allow in interface Inside access-group allow out interface Inside access-group basic in interface Outside access-group allow out interface Outside route Outside 0.0.0.0 0.0.0.0 [Gateway IP] 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 Outside http 0.0.0.0 0.0.0.0 Inside no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev2 ipsec-proposal 3DES-MD5 protocol esp encryption 3des protocol esp integrity md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map Outside_map0 1 match address Outside_cryptomap_2 crypto map Outside_map0 1 set peer [SITE1 IP] crypto map Outside_map0 1 set ikev1 transform-set ESP-AES-256-SHA crypto map Outside_map0 interface Outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit crypto ikev2 policy 1 encryption 3des integrity md5 group 5 prf md5 lifetime seconds 86400 crypto ikev2 policy 2 encryption aes integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash md5 group 5 lifetime 86400 crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 5 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 5 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 5 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 5 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 5 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 5 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 5 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 5 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 5 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 5 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 5 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 5 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 5 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 Inside ssh 0.0.0.0 0.0.0.0 Outside ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy GroupPolicy_[SITE1 IP] internal group-policy GroupPolicy_[SITE1 IP] attributes vpn-tunnel-protocol ikev1 username admin password Gq4Kud5aGC668/VE encrypted privilege 15 tunnel-group [SITE1 IP] type ipsec-l2l tunnel-group [SITE1 IP] general-attributes default-group-policy GroupPolicy_[SITE1 IP] tunnel-group [SITE1 IP] ipsec-attributes ikev1 pre-shared-key ***** ! Cryptochecksum:cb42c61d05f6a55ebb5e5e94805f7e04 : end
Improve this question
3
  • Please edit your question to include the ASA configuration. Commented Oct 4, 2017 at 15:15
  • Done. Pastebin link added. Commented Oct 6, 2017 at 9:12
  • @OPGailey I have pasted the configuration into pre-formatted text. Commented Oct 6, 2017 at 10:09

1 Answer 1

Reset to default
1

On Site2 (Cisco ASA 5500), looks like you applied the packet-tracer on wrong Input interface: Outside, that is why it was dropped. The correct interface should be Inside interface (or the interface where 192.168.1.3 generates the traffic).

Run the packet-tracer again with correct input interface and let us know the result. Also, please edit your question with the ASA configuration.

Updated answer:

The output of packet-tracer shows that the issue was at NAT rules. Once we moved the No-NAT rule (for VPN traffic) to the 1st position and PAT rule for Internet traffic at the end of NAT section, Site2 can access Site1.

Improve this answer
8
  • When I try it with the Inside interface, using source: internal IP at Site2 and destination: internal IP at Site1, it works. When I do the same with source: internal IP at Site1 and destination: internal IP as Site2, it fails at the VPN stage. i.imgur.com/6sdwjHR.png Commented Oct 6, 2017 at 9:06
  • @OPGailey "with the Inside interface, using source: internal IP at Site2 and destination: internal IP at Site1, it works" => Correct and this is what we should test/expect with VPN setup. Your inside interface is where Site2 internal IPs reside, not Site1 internal IPs (which is located outside), when you put them in WRONG source/destination order in 2nd/later packet-tracer that do not match Outside_cryptomap_2, resulting DROP Commented Oct 6, 2017 at 10:27
  • @OPGailey Even when you try with packet-tracer with OUTSIDE interface - source: internal IP at Site1 and destination: internal IP at Site2, it will drop also at VPN Phase, because this is VPN tunnel, we cannot do like this. For VPN tunnel, always run packet-tracer on inside/internal interfaces with correct source and desation IPs. Commented Oct 6, 2017 at 10:33
  • @OPGailey Can you please let me know if Site2 can access Site1? Or you just tested it our with packet-tracer only? Commented Oct 6, 2017 at 10:35
  • No, Site2 cannot access resources on Site1 (ie, I cannot access https : // 192.168.100.2 from Site2). Commented Oct 6, 2017 at 10:51

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.