Vpn – Cisco ASA Site-to-Site VPN, remote LANs have no Internet

cisco-asavpn

I have a site-to-site VPN from a Cisco ASA 5512 and a Cisco 891. I want all traffic, even Internet access, to come through our ASA. The VPN is established and working. The LANs have connectivity to each other, but the remote LANs on the 891 have no Internet. I've been working on this a while, experimenting and researching, but I can't seem to figure out what I'm doing wrong. The traffic seems to be getting dropped at the ASA when doing a traceroute.

I'm assuming it's a NAT rule or VPN policy. I've looked through the group policy to find nothing of interest and tried multiple NAT rules that I assumed I would need.

I have the config of the ASA, the 891, and a packet-tracer output from the ASA testing a ping from a remote LAN user, 172.17.55.x to 8.8.8.8, which is dropped at phase 8 ipsec-tunnel-flow.

I'm sure it's an amateur mistake I've made, but I just can't seem to find it. Any help is appreciated!

ASA Config

ASA Version 9.6(3)1  
!
hostname xxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet0/0
 description Uplink To ComRTR
 nameif outside
 security-level 100
 ip address xx.xx.xx.50 255.255.255.240 
!
interface GigabitEthernet0/1
 description Link To 1941
 nameif inside
 security-level 100
 ip address 172.17.25.1 255.255.255.192 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa963-1-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network user-network
 subnet 192.168.128.0 255.255.255.0
object network server-network
 subnet 192.168.108.0 255.255.255.0
object network transit-network
 subnet 192.168.118.0 255.255.255.0
object network xxxUser
 subnet 172.17.50.0 255.255.255.0
object network xxxStorage
 subnet 172.17.55.0 255.255.255.0
object network xxxServer
 subnet 172.17.56.0 255.255.255.0
object network xxxMgmt
 subnet 172.17.57.0 255.255.255.0
object network xxxDMZOut
 subnet 172.17.65.0 255.255.255.192
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_1
 network-object object xxxDMZOut
 network-object object xxxMgmt
 network-object object xxxServer
 network-object object xxxStorage
 network-object object xxxUser
object-group network xxxFO
 network-object object xxxMgmt
 network-object object xxxServer
 network-object object xxxStorage
 network-object object xxxUser
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any 
access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_3 any any 
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any 
access-list outside_cryptomap extended permit ip any object-group DM_INLINE_NETWORK_1 
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static any any destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (outside,outside) source dynamic xxxFO interface
nat (inside,outside) source dynamic inside-dmz-network interface
nat (inside,outside) source dynamic user-network interface
nat (inside,outside) source dynamic server-network interface
nat (inside,outside) source dynamic transit-network interface
nat (inside,outside) source dynamic any interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
router ospf 1
 network xx.xx.xx.48 255.255.255.240 area 0
 network 172.17.25.0 255.255.255.192 area 0
 area 0
 log-adj-changes
 redistribute static metric 10 metric-type 1 subnets
!
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.62 150
route inside 192.168.250.0 255.255.255.0 172.17.25.3 10
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.128.0 255.255.255.0 inside
http 172.17.25.0 255.255.255.192 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.55 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256 aes-192 aes
 integrity sha256 sha
 group 19 5 2
 prf sha384 sha256 sha
 lifetime seconds 3600
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.128.0 255.255.255.0 inside
ssh 172.17.25.0 255.255.255.192 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.30 source outside prefer
ntp server 129.6.15.28 source outside
group-policy GroupPolicy_xx.xx.xx.55 internal
group-policy GroupPolicy_xx.xx.xx.55 attributes
 vpn-tunnel-protocol ikev1 ikev2 
dynamic-access-policy-record DfltAccessPolicy
tunnel-group xx.xx.xx.55 type ipsec-l2l
tunnel-group xx.xx.xx.55 general-attributes
 default-group-policy GroupPolicy_xx.xx.xx.55
tunnel-group xx.xx.xx.55 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 9
  subscribe-to-alert-group configuration periodic monthly 9
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1f0f409a04c12c7ae27344ced61dc9ff
: end

891 Config

Building configuration...

Current configuration : 5837 bytes
!
! Last configuration change at 16:01:35 UTC Fri Oct 20 2017 by xadmin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-4171442197
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4171442197
 revocation-check none
 rsakeypair TP-self-signed-4171442197
!
!
crypto pki certificate chain TP-self-signed-4171442197
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313731 34343231 3937301E 170D3137 30393239 31363236
  30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31373134
  34323139 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009450 A8547893 136F6C92 1E677A11 F8D6BCAA B04B9719 C72995B4 700A9D23
  36F3BA2D 9BEF1764 EE597429 31BB8B53 F0F1819A F7045E4D 8B732B1F 71E86339
  6471B695 2FE1E053 A80E2E76 0818432E E38CA925 86AAFD79 606297A5 8AB4437E
  62BDD416 567EA9E5 4CBAD846 67B63866 ABA598FC C0995092 BA50CC93 994DF537
  EFA30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 148C7228 7D29BC2C D1889BA2 B498EA3D 9EA0CD3E EB301D06
  03551D0E 04160414 8C72287D 29BC2CD1 889BA2B4 98EA3D9E A0CD3EEB 300D0609
  2A864886 F70D0101 05050003 81810094 4EE90FA5 EB72183B 4F6C38EB 4A83A6C7
  7A5345F4 A0D0AFA6 F31B9EF3 8DDAFDB5 74103BF3 D86BB26E CEAD05BD A213CD01
  A968B4D6 32160C2A E84E0E1C 308F34E5 F041E1F5 AA4740C8 497517DE 5BECDA82
  3C985E40 7D4FA127 17566B5E 23D42842 36FC679A 496FA752 747FBFDE 7FE61B83
  0E6F6932 990775FD 650704FE 18985C
        quit
!
!
!
!


!
ip dhcp excluded-address 172.17.50.1 172.17.50.99
ip dhcp excluded-address 172.17.50.201 172.17.50.254
ip dhcp excluded-address 172.17.56.1 172.17.56.199
ip dhcp excluded-address 172.17.56.221 172.17.56.254
ip dhcp excluded-address 172.17.55.1 172.17.55.199
ip dhcp excluded-address 172.17.55.221 172.17.55.254
!
ip dhcp pool user100
 import all
 network 172.17.50.0 255.255.255.0
 default-router 172.17.50.1
 dns-server 192.168.108.11 172.17.56.60
 domain-name xxx
!
ip dhcp pool storage300
 import all
 network 172.17.55.0 255.255.255.0
 default-router 172.17.55.1
 dns-server 192.168.108.11 172.17.56.60
 domain-name xxx
!
ip dhcp pool servers400
 import all
 network 172.17.56.0 255.255.255.0
 default-router 172.17.56.1
 dns-server 192.168.108.11 172.17.56.60
 domain-name xxx
!
!
!
ip domain name xxx
ip name-server 172.17.56.60
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL1931238L
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key xxx address xx.xx.xx.50
!
!
crypto ipsec transform-set xxx esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map xxx 10 ipsec-isakmp
 set peer xx.xx.xx.50
 set transform-set xxx
 match address 100
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description User
 switchport access vlan 100
 no ip address
!
interface GigabitEthernet1
 description Trunk to Host NIC1
 switchport mode trunk
 no ip address
!
interface GigabitEthernet2
 description Trunk to Host NIC2
 switchport mode trunk
 no ip address
!
interface GigabitEthernet3
 description Mgmt
 switchport access vlan 500
 no ip address
!
interface GigabitEthernet4
 description User
 switchport access vlan 100
 no ip address
!
interface GigabitEthernet5
 description Synology
 switchport access vlan 300
 no ip address
!
interface GigabitEthernet6
 description Synology
 switchport access vlan 300
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address xx.xx.xx.55 255.255.255.240
 duplex auto
 speed auto
 crypto map xxx
!
interface Vlan1
 no ip address
!
interface Vlan100
 description User vlan
 ip address 172.17.50.1 255.255.255.0
!
interface Vlan300
 description Storage vlan
 ip address 172.17.55.1 255.255.255.0
!
interface Vlan400
 description Server vlan
 ip address 172.17.56.1 255.255.255.0
!
interface Vlan500
 description Management vlan
 ip address 172.17.57.1 255.255.255.0
!
interface Async3
 no ip address
 encapsulation slip
!
router ospf 1
 network xx.xx.xx.48 0.0.0.15 area 0
 network 172.17.50.0 0.0.0.255 area 0
 network 172.17.55.0 0.0.0.255 area 0
 network 172.17.56.0 0.0.0.255 area 0
 network 172.17.57.0 0.0.0.255 area 0
 network 172.17.65.0 0.0.0.63 area 0
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.62
!
!
access-list 100 permit ip 172.17.50.0 0.0.0.255 any
access-list 100 permit ip 172.17.55.0 0.0.0.255 any
access-list 100 permit ip 172.17.56.0 0.0.0.255 any
access-list 100 permit ip 172.17.57.0 0.0.0.255 any
access-list 100 permit ip 172.17.65.0 0.0.0.63 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Packet-Tracer Output

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop xx.xx.xx.62 using egress ifc  outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2          any any
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source dynamic xxxFO interface
Additional Information:
Dynamic translate 172.17.55.200/0 to xx.xx.xx.50/21969

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Best Answer

1

Your configurations at Cisco ASA and 891 router look fine to me and I was able to apply most of them in the following case and it works properly:

enter image description here

Let us say:

  • Your Local LAN network is on R4 Loopback 0 interface

  • Your Remote LAN networks are on R1 Loopback interfaces and R3.

  • Internet resources are on R2.

When you want to access:

  • Local network (R4 Lo0 IP: 192.168.108.1) from Remote network (R1 Lo0 IP: 172.17.55.200 and R3). VPN tunnel will be up and traffic passes through it and is forwarded to Local network via R4. IP addresses of Remote and Local networks remain unchanged (NAT Exemption):

    ###Successfully ping R4 Lo0:
    
    R1#ping 192.168.108.1 source loopback 0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.108.1, timeout is 2 seconds:
    Packet sent with a source address of 172.17.55.200
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/44 ms
    
    
    R3#ping 192.168.108.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.108.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 120/124/128 ms
    
    
    ciscoasa#show isa
    
    IKEv1 SAs:
    
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
     Total IKE SA: 1
    
     1   IKE Peer: 45.67.89.1
         Type    : L2L             Role    : responder
         Rekey   : no              State   : MM_ACTIVE
    
  • Internet resources (R2 IP: 56.78.90.1) from Remote network (R1 Lo0 IP: 172.17.55.200 and R3). VPN tunnel will be up and traffic passes through it and is forwarded back to the same outside interface (IP addresses of Remote network are NATted ASA outside IP: 13.10.12.1) to Internet (R5 and then R2):

    ###Successfully ping R2:
    
    R1#ping 56.78.90.1 source loopback 0
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 56.78.90.1, timeout is 2 seconds:
    Packet sent with a source address of 172.17.55.200
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/51/60 ms
    
    
    R3#ping 56.78.90.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 56.78.90.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 120/148/216 ms
    
    
    ###Successfully SSH and logged into R2:
    
    R3#ssh -l Netlab 56.78.90.1    
    Password:    
    R2#
    
    ###NATted, captured traffic and connections on ASA:
    
    ciscoasa# show xlate
    ...
    ICMP PAT from outside:172.17.55.200/4 to outside:13.10.12.1/4 flags ri idle 0:00:04 timeout 0:00:30
    TCP PAT from outside:172.17.50.2/17592 to outside:13.10.12.1/17592 flags ri idle 0:00:12 timeout 0:00:30
    
    
    ciscoasa# show conn
    4 in use, 5 most used
    
    TCP outside  56.78.90.1:22 outside  172.17.50.2:17592, idle 0:00:18, bytes 1947, flags UIOB
    
    
    ciscoasa# show capture
    capture Internet type raw-data interface outside [Capturing - 4615 bytes]
      match tcp any host 56.78.90.1 eq ssh
    
    
    ciscoasa# show capture Internet
    
    87 packets captured
    
    1: 10:04:51.166068       13.10.12.1.17592 > 56.78.90.1.22: S 2513675164:2513675164(0) win 4128 <mss 536>
    2: 10:04:51.196645       56.78.90.1.22 > 13.10.12.1.17592: S 497508457:497508457(0) ack 2513675165 win 4128 <mss 536>
    3: 10:04:51.248705       13.10.12.1.17592 > 56.78.90.1.22: . ack 497508458 win 4128
    ...
    

2

As I earlier wrote in the comment, you should NOT test with packet-tracer in this case or in VPN case with outside interface and source IP from the Remote network. It will always result in "Drop" at VPN Phase.

Given that I was able to access R2 with real traffic from R3, I faced a "Drop" with the following packet-tracer:

ciscoasa# packet-tracer input outside tcp 172.17.50.2 17592 56.78.90.1 22
...
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
...

3

To troubleshoot this issue, you should:

  • Turn on a capture which is similar to what I did in section 1.
  • Try with real traffic from Remote network.
  • Try with both destination public URLs and public IP addresses, in case your DNS servers (Local: 192.168.108.11 and Remote: 172.17.56.60) are not working properly.
  • Monitor the NATed packets and connections at ASA end.

I hope it is helpful. Later, you can update your question with more findings, I will update this answer accordingly.