flow is denied by configured rule (acl-drop)

yashh

Hii everyone, I have site to site VPN setup from Branch office to an asa in DC(remote location). Tunnel is formed and VPN is up, only some of the machines in our Branch office are able to use VPN. When I did packet tracer on outside interface, I found the following flow is denied by configured rule (acl-drop). Please I need your advise.

Thanks!!

NetworkNewb

Does it have a max number of connections set somewhere?

d4nz1g

Post your config so we can assist you on this one

yashh

No, I did not set any connection limit.

yashh

Avni-Networks(config)# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname Avni-Networks
enable password
passwd
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.2 255.255.255.0
!
ftp mode passive
object network Local_Lan
subnet 192.168.1.0 255.255.255.0
object network DC_Lan
subnet 10.1.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 10.1.0.0 255.255.224.0
network-object object DC_Lan
object-group service Allowed_Ports tcp
port-object eq www
port-object eq https
port-object range ftp telnet
port-object range 9000 9999
access-list Lan-Lan extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.224.0
access-list Lan_Outside extended permit icmp any 10.1.0.0 255.255.224.0
access-list Lan_Outside extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.224.0 object-group Allowed_Ports
access-list InsideToOutside_FromInsideIf extended permit icmp 192.168.1.0 255.255.255.0 any
access-list InsideToOutside_FromInsideIf extended permit tcp 192.168.1.0 255.255.255.0 10.1.0.0 255.255.224.0 object-group Allowed_Ports
pager lines 24
logging buffer-size 10000
logging console debugging
mtu management 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (management,outside) source static Local_Lan Local_Lan destination static DC_Lan DC_Lan
access-group InsideToOutside_FromInsideIf in interface management
access-group Lan_Outside out interface outside
route outside 0.0.0.0 0.0.0.0 xxxx 1
route outside 10.1.0.0 255.255.224.0 xxxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 1 match address Lan-Lan
crypto map vpnmap 1 set peer xxxx
crypto map vpnmap 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_xxxx internal
group-policy GroupPolicy_xxxx attributes
vpn-tunnel-protocol ikev1
username avniadmin password oyUYKZXvk1Ck2rYS encrypted privilege 15
tunnel-group xxxx type ipsec-l2l
tunnel-group xxxx general-attributes
default-group-policy GroupPolicy_xxxx
tunnel-group xxxx ipsec-attributes
ikev1 pre-shared-key *****
!
class-map icmp-map
match default-inspection-traffic
class-map inspection-default
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global-policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect ipsec-pass-thru
inspect icmp
policy-map icmp-policy
class icmp-map
inspect http
inspect icmp
!
service-policy global-policy global
service-policy icmp-policy interface outside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:73de74061a5e4f21fab33715ea87da24
: end

yashh

Yes, I did but it is in waiting list for moderators confirmation.

NetworkNewb

yashh wrote: »

No, I did not set any connection limit.

On the server as well? On the actual server there could be a remote connections limit set.

yashh

No. there is no sever in this picture.

d4nz1g

Double check your encryption domains and NAT statements.

yashh

Now all the machines are able to connect to VPN after adding an ACL on outside interface in 'out' direction; access-list XXX ext permit icmp 192.168.1.0/24 10.1.0.0/19. But my doubt is, I have added inspect icmp to policymap on interface and global too, it allow all the machines, but after adding the above acl, all machines are being allowed. Where do you guys think, I am going wrong??