I try to set up a site to site IPsec between an Ericsson router and a Cisco ASA, as shown below:
My tunnel is UP and R1 seems to be working fine. However, my ASA does not forward traffic between local and remote subnets:
act/Lab2/FWasa1# show cryp ipse sa interface: outside_access Crypto map tag: acces_map, seq num: 1, local addr: x.x.x.x access-list crypto_map extended permit ip 100.100.0.0 255.255.255.0 100.100.1.0 255.255.255.0 local ident (addr/mask/prot/port): (100.100.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (100.100.1.0/255.255.255.0/0/0) current_peer: y.y.y.y #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 2640, #pkts decrypt: 2640, #pkts verify: 2640 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 act/Lab2/FWasa1# show access-list crypto_map access-list crypto_map; 2 elements; name hash: 0x2b034900 access-list crypto_map line 1 extended permit ip object local_network object remote_network (hitcnt=8) 0xd0d5d370 access-list crypto_map line 1 extended permit ip 100.100.0.0 255.255.255.0 100.100.1.0 255.255.255.0 (hitcnt=8) 0xd0d5d370 access-list crypto_map line 2 extended permit icmp object local_network object remote_network (hitcnt=0) 0x1adc0eab access-list crypto_map line 2 extended permit icmp 100.100.0.0 255.255.255.0 100.100.1.0 255.255.255.0 (hitcnt=0) 0x1adc0eab act/Lab2/FWasa1# packet-tracer input locale_interface icmp 100.100.0.1 8 0 100.100.1.1 Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop x.x.x.x using egress ifc outside_access Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f98cedfc200, priority=501, domain=permit, deny=true hits=6, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=100.100.0.1, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=locale_interface, output_ifc=any Result: input-interface: locale_interface input-status: up input-line-status: up output-interface: outside_access output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule As you can see, the ACL displayed with show crypto ipsec sa only contains one rule instead of two, as shown with show access-list crypto_map. The first command output shows as well ingress encrypted data, which correspond to a ping I sent from 100.100.1.1 (without receiving any answer).
packet-tracer displays, either with ICMP or TCP, that packets are dropped by an ACL. How can I find out which ACL is responsible for this drop and continue to troubleshoot my issue?
EDIT: For whatever reason, end to end ping works if the source or destination IP is not 100.100.0.1, which is the ASA local interface IP. If I use the same packet-tracer command with IP 100.100.0.2 instead of 100.100.0.1, then it just works fine. I don't understand this behavior, but at least it solves my issue. Any information is still appreciated about why this specific IP is not able to be transported towards the other side.
