I try to set up a site to site IPsec between an Ericsson router and a Cisco ASA, as shown below:
My tunnel is UP and R1 seems to be working fine. However, my ASA does not forward traffic between local and remote subnets:
act/Lab2/FWasa1# show cryp ipse sa
interface: outside_access
Crypto map tag: acces_map, seq num: 1, local addr: x.x.x.x
access-list crypto_map extended permit ip 100.100.0.0 255.255.255.0 100.100.1.0 255.255.255.0
local ident (addr/mask/prot/port): (100.100.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.100.1.0/255.255.255.0/0/0)
current_peer: y.y.y.y
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2640, #pkts decrypt: 2640, #pkts verify: 2640
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
act/Lab2/FWasa1# show access-list crypto_map
access-list crypto_map; 2 elements; name hash: 0x2b034900
access-list crypto_map line 1 extended permit ip object local_network object remote_network (hitcnt=8) 0xd0d5d370
access-list crypto_map line 1 extended permit ip 100.100.0.0 255.255.255.0 100.100.1.0 255.255.255.0 (hitcnt=8) 0xd0d5d370
access-list crypto_map line 2 extended permit icmp object local_network object remote_network (hitcnt=0) 0x1adc0eab
access-list crypto_map line 2 extended permit icmp 100.100.0.0 255.255.255.0 100.100.1.0 255.255.255.0 (hitcnt=0) 0x1adc0eab
act/Lab2/FWasa1# packet-tracer input locale_interface icmp 100.100.0.1 8 0 100.100.1.1
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside_access
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f98cedfc200, priority=501, domain=permit, deny=true
hits=6, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=100.100.0.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=locale_interface, output_ifc=any
Result:
input-interface: locale_interface
input-status: up
input-line-status: up
output-interface: outside_access
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
As you can see, the ACL displayed with show crypto ipsec sa only contains one rule instead of two, as shown with show access-list crypto_map. The first command output shows as well ingress encrypted data, which correspond to a ping I sent from 100.100.1.1 (without receiving any answer).
packet-tracer displays, either with ICMP or TCP, that packets are dropped by an ACL. How can I find out which ACL is responsible for this drop and continue to troubleshoot my issue?
EDIT: For whatever reason, end to end ping works if the source or destination IP is not 100.100.0.1, which is the ASA local interface IP. If I use the same packet-tracer command with IP 100.100.0.2 instead of 100.100.0.1, then it just works fine. I don't understand this behavior, but at least it solves my issue. Any information is still appreciated about why this specific IP is not able to be transported towards the other side.
Best Answer
I suggest you read this link to see how to properly build a tunnel on an ASA and then see if you have any problems.
In general, you need 2 ACLs (when dealing with tunnels): One ACL for letting the traffic enter (and pass through) the ASA, and another ACL for defining the interesting traffic. It looks like you have the interesting traffic ACL but are maybe missing the ACL to let the traffic pass through the firewall. Without seeing your full config it's impossible for us to really know what's going on. You can edit your question and add a sanitized config if you'd like more help.