Issue in Gratutity Exemption
Dear Folks,
Please advise, here is a scenario of exemption of grautity. The client is calculate grautity amuont manually and proces thru Addtional payment thru custom wage type.
The amount of grautity is add to w.type /130 for exemption purpose. Accordingly I had wrote a pcr so that the amount of wage would store in /130, like this
wage type.Gratuity Payment
ELIMI * Elim.time period ID
ADDWT (gratuity wage type) OT Output table
ADDWT /416 OT Output table
AMT?350000 Comparison
<
ADDWT /130 OT Output table
=
ADDWT /130 OT Output table
>
ELIMI * Elim.time period ID
AMT=350000 Set
ADDWT /130 OT Output table
But there is a issue, when we are executing payroll for next month, the exempted amount of gratuity is not adding.
Please advise.
Regards,
Hi
This can be done at the reporting level. Below link will help you solve this.
http://www.wiseowl.co.uk/blog/s257/ssrs-rows-per-page-pt2.htm
When you have multiple pages, your header may disappear. So below link will help you to have the header repeating in each page.
http://social.technet.microsoft.com/wiki/contents/articles/19398.ssrs-how-to-repeat-headers-on-each-page.aspx
Let me know how it goes.
Cheers
[email protected]
Dr.Subramani Paramasivam
Similar Messages
-
Hi
i am having some issue regarding the exemption of child education/hostel allowances. when i run payroll it doesnot calculate in payroll. i mean the cea/cha exemption. we have created it582 for both subtype.
any solution pleaseHi,
Please check if you have maintained the tax code in table v_t7int9 for the same and Schema INN1
regards
Kiran
Edited by: kiran amrute on Mar 20, 2010 9:28 AM -
Issues in Conveyance Allowance amount in Exemption U/S 10
New issues rise Now....
For New (mid month) joinee at the first month Exemption U/S 10 is calculated based on the Conveyance Allowance amount *12 months (or no. of remaining months for financial yr end), but in my client income tax Exemption U/S 10 based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Conveyance Allowance = 800 INR. Earned Conveyance Allowance for 15 days = 400 INR.
While Start Payroll for the period 5th (August) 2011. The WT /130 Exemption U/S 10 = 3,200 (400*8). Based on this Conveyance Allowance The Exemption U/S 10 calculated, But I want to calculated the Exemption U/S 10 at first month (august 2011) based on follows,
August month earned Conveyance Allowance = 400 INR + Actual Conveyance Allowance per month =800*7 =5,600.
Exemption U/S 10 = 6,000 INR.
Please give me some solution
Thanks and regards
Mohan .V
Edited by: mohantamilan on Sep 23, 2011 5:27 PMHi,
I think for your earlier thread someone had replied that in the 1st month your calculations will be as per the actual received amounts for mid month joinees,however when you run the second payroll for this employee the system shall consider full attendance and Conveyance shall be 800 x remaining months + the already populated 400 in RT Tables.
After you run the first Payroll live you can check the 2nd payroll with simulation may be this will clear your doubt.
Salil -
Exempted vendor Service Tax Issue
Hi ,
One our vendor having exemptions from service tax . The scenario is follows
If total amount of invoice is 100000 Rs then in normal case service tax payable is 10.33 % = 10330 Rs and Total value is 110330 Rs .
Now for this particular vendor if amount is 100000 Rs then he has to charge service tax on 35 % of amount that means 10.33 % on 35000 Rs so Tax = 3615 Rs and total Invoice amount will be 100000 + 3615= 103615 Rs.
Each time calculating it manually and booking the invoice is not possible . How can I configure such scenarios . Is there any standard settings available for the same
Regards
BhushanHai,
create the new service tax code with required percentage and use the same . -
there is a very complicated situation regarding children eductaion allowance inclusion in perk calculatio hope you can help me.
we are paying rs 300 as CEA AND person is having ony one child.
this means rs100 is exempt and rs 200 is taxable.
plus this rs 200 has to be used up for calculation of perk for coa/cla. but in our case this rs 200 is not being used up for calculation of perk value
sap is doing correct calculatio but picking wrong value
i.e /* value is not being used and instead of this /3 value is being used up.
how can we configure system to use up /* value and /3 value.no one answered
-
I've just purchased a year's license to Creative Cloud on my unit's tax-exempt purchasing card, but the tax was assessed anyway. Several calls to the help desk revealed that no one has been trained in U.S. state sales-tax exempt organizations, and so I have no way of trying to get this charge backed out - which will result in a big accounting headache.
Is there anyone out there who may be able to help? Unfortunately there seems to be no way to escape being connected to the overseas call center, where managers aren't really able to provide any assistance either.I will make a complaint to the better business bureau. I'm out $48 (because I gave it to my brother- we are both college students paying our way through school- except I'm in my 30's and also paying bills). It isn't a lot of money but its a spit in the eyes from Verizon. 15 year customer- so what- spit in the eyes. Sells Verizon phones at her job everyday when she's not working really hard in school- so what- spit in the eyes. I'm also forwarding all of this to our district Verizon rep- see what she says.
-
Hi
its mid year go live i uploaded april to nov. legacy payroll, then run inlk schema . then set the with each month payroll with releasing and exiting the controll record. then i run December month payroll with regular schema . now system is not calculating
annual gross and annual regular income for 12 month, in log tree for tax calculation.
it calculating for dec. to march 4 month as annual salary . with is much amount its calculating all tax declaration, so tax calculation is coming wrong.
exemption /130 tech wage type also its ignoring last 9 month . its calculating from December only.
help me to solve this issue.
supritaHello Suprita
Kindly refer to the notes which would assist you further in your query.
Please check if you have carried out the changes as required for mid-year golive as per the notes.
506128: Legacy data transfer
590725: Documentation for rules in INLK Schema
563491: Legacy data transfer - FAQ-
Thanks and Kind Regards
Ramana -
For the mid month new joiner the annual Conveyance exemption is coming incorrectly
Dear All,
For one of our client, we have have faced a uniqe issue.
If any employee join in the mid of the month, his prorated conveyance amount ( wage type 2020) is coming correctly. Suppose an employee joined at 16th of the month, system is calculating his conveyance for that month as INR 400 and which is correct.
However in his tax calculation for that particular month, system is taking INR 400*(rest of the month of the FY) in the wage type /4E3. which is incorrect. Suppose he joined in 16th April , system is calculating tax exemption 400*12=4800
Now if we run next month payroll , system is caculating the exemption properly. i.e. INR 400 + 800* rest of the month of the FY,
Please help
Regards
TirthaHi Tirtha,
system is calculating perfectly.
first of all system check the no. of present days and accordingly it give the amount in the wage type /3C3 conveyance amount monthly and /3C4 will give Conveyance monthly exemption and it will multiply with no. of months to the fiscal year end and store in the wage type /4E3.
for example check for PF:
Every month PF amount store in WT /3F1 and send to /3F5 and this WT multiplied with No. of months and store the Annual amount in wt /3F6.
Regards,
Praneeth kumar -
Income tax issue for mid month joinees
Issue 2:
For New (mid month) joinee at the first month gross salary is calculated based on the earned salary amount *12 months (or no. of remaining months for financial yr end), but in my client income tax deducted based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Actual salary = 1,00,000 INR. Earned salary for 15 days = 50,000 INR.
While Start Payroll for the period 5th (August) 2011. The WT /416 Gross salary = 4,00,000 (50000*8). Based on this gross salary income tax calculated, But I want to calculated the gross at first month (august 2011) based on follows,
Gross salary : August month earned salary = 50,000 + Actual salary per month =1,00,000*7 =7,00,000.
Gross salary = 7,50,000 INR.
Please give me some solution
Thanks and regards
Mohan .VHi Param Dayal,
New issues rise Now....
For New (mid month) joinee at the first month Exemption U/S 10 is calculated based on the Conveyance Allowance amount *12 months (or no. of remaining months for financial yr end), but in my client income tax Exemption U/S 10 based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Conveyance Allowance = 800 INR. Earned Conveyance Allowance for 15 days = 400 INR.
While Start Payroll for the period 5th (August) 2011. The WT /130 Exemption U/S 10 = 3,200 (400*8). Based on this Conveyance Allowance The Exemption U/S 10 calculated, But I want to calculated the Exemption U/S 10 at first month (august 2011) based on follows,
August month earned Conveyance Allowance = 400 INR + Actual Conveyance Allowance per month =800*7 =5,600.
Exemption U/S 10 = 6,000 INR.
Please give me some solution
Thanks and regards
Mohan .V
Edited by: mohantamilan on Sep 26, 2011 2:52 PM -
The issue is like this.
A company pays Rs 3000 as Fuel reimbrursement thru Additional Payments infotype for their employees. This is along with the regular conveyance paid of Rs 800 every month in the Basic pay Infotype.
Now there are 2 to 3 scenarios which need to be configured for the same which are as below.
Scene 1 :
For all the employees who submit Petrol bills for Rs 3000, the Fuel reiumbursement is not taxable. and Conveyance is taxable ( Rs 9600 annually ).
Scene 2 :
For all those who didnt submit petrol bills for Rs 3000, the amount is taxable only upto Rs 1200 and Rs 1800 is not taxable ( out of a total of Rs 3000 ).
Conveyance is non taxable for these employees..
How to configure???Inputs are highly appreciated..
Edited textHi
you create two wage type one is for payment say ab01and one is for exemption ab02 .
ab02 u copy from mcax model wage type
create a tax code then link this tax code to the wage type ab01.
then maintaimTax Exemptions >> Define Other Allowance or Reimbursement Subtype for Exemption
maintain T7INa9
in schema XNAL before XO23 role enter
INCTC taxcode ab02 a
If u maintain amount in 582 same amount will give exmption. payment will be done through 15.regards,
Balaji -
Issue on Projected Income Tax (Payroll India)
Hi Experts
We have upgraded the system with SP_HR Component patch level 64 and configured SAP Note 1568264.
We have an issues on Projected Income Tax.
Scenario :
Monthly sal : 25000/- and paid the same to employee in Apr, May 11.
In the month of June employee has LOP for 2 days and paid 22000/- against June 11.
Now system is calculating projected IT based on 22000/- for the remaining months i.e., 22000*10= 2,20,000/-.
Showing projected income tax as 2,20,000+50000 = 2,70,000/- (should be 3,00,000/-)
Please suggest the possible ways to resolve this.
Appreciate your help.
Thanks
Venkat Babu KuradaHi Experts,
New issues rise Now....
For New (mid month) joinee at the first month Exemption U/S 10 is calculated based on the Conveyance Allowance amount *12 months (or no. of remaining months for financial yr end), but in my client income tax Exemption U/S 10 based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Conveyance Allowance = 800 INR. Earned Conveyance Allowance for 15 days = 400 INR.
While Start Payroll for the period 5th (August) 2011. The WT /130 Exemption U/S 10 = 3,200 (400*8). Based on this Conveyance Allowance The Exemption U/S 10 calculated, But I want to calculated the Exemption U/S 10 at first month (august 2011) based on follows,
August month earned Conveyance Allowance = 400 INR + Actual Conveyance Allowance per month =800*7 =5,600.
Exemption U/S 10 = 6,000 INR.
Please give me some solution
Thanks and regards
Mohan .V -
Income Tax Exemption on Professional Tax Deducted for Tamilnadu Employees
Hi Experts,
I am working on India Payroll and configured Professional Tax for Tamilnadu employees. Professional Tax is deducted correctly for the employee in the month of August and then in month of January.
However while calcuating income tax exemption system is considering only amount deducted in the month of August for the exemption upto December month and in the month of January its cosidering PTax deducted in the month of August and January both. In case of Maharashtra employees form first month its considering annual projected Professional Tax amount for Exemption.
Can anyone guide me what changes i have to do for considering projected PTax amount for exemption in case of Tamilnadu employees.
Thanks in advance.
OMKARAs per standrad the for chennai professional tax is projected for every six months right
so it is takeing like that say the entire amount will be upto to Projection period so it is takeing for that period
We have similar issue at one of the client place that is instead of deducting the PTAX for every six months it has to be deducted
for mothly so we have changed the frequnecy of deduction from six months to monthly so than it has shown the entire project amout yearly
and lets wait for the expert views on this -
Issue in income tax computation
Dear All,
I have some issue in income tax calculation India Payroll for few employees.
Listed the problems below
1. Exemption Under Section 10 is not considered during Income tax calculation
2. Medi-claim is not deducted from gross salaryHi Lakshman,
Exemption under sec 10 should be considered in the tax calculation. In the Tax calculation all the amount u/s 10 will be stored in wage type /130 and it will subtracted from the Gross salary (/416).
If this is not happening then please check the configuration of the wage type which you are using.
Normally Medical exemption will be processed before the arrival of gross salary.
Hope this will help you.
Thanks & Regards
Saroj Hial -
Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
Thanks
Dave
Result of the command: "sh run"
: Saved
: Serial Number: *****
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(5)21
hostname Main-ASA
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 12
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.252
interface Vlan12
nameif Outside
security-level 0
ip address dhcp setroute
banner login *************************************
banner login Unuathorized access is prohibited !!
banner login *************************************
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DefaultDNS
domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN54
subnet 192.168.54.0 255.255.255.0
description VLAN 54
object network Management
subnet 192.168.80.0 255.255.255.0
description Management
object network VLAN51
subnet 192.168.51.0 255.255.255.0
description VLAN 51
object network VLAN52
subnet 192.168.52.0 255.255.255.0
description VLAN 52
object network VLAN53
subnet 192.168.53.0 255.255.255.0
description VLAN 53
object network VLAN55
subnet 192.168.55.0 255.255.255.0
description VLAN 55
object network VLAN56
subnet 192.168.56.0 255.255.255.0
description VLAN 56
object service 443
service tcp destination eq https
object service 80
service tcp destination eq www
object service 8245
service tcp destination eq 8245
object service 25295
service udp destination eq 25295
description Blocking 25295
object network VPN-Connections
subnet 192.168.59.0 255.255.255.0
description VPN Connections
object-group service No-IP
description no-ip.com DDNS Update
service-object object 80
service-object object 8245
service-object object 443
access-list inside_access_in remark No-ip DDNS Update
access-list inside_access_in extended permit object-group No-IP object VLAN51 any
access-list inside_access_in extended permit ip any any
access-list VPN standard permit 192.168.0.0 255.255.0.0
access-list Outside_access_in remark Blocking 25295 to HTPC
access-list Outside_access_in extended deny object 25295 any object VLAN54
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
router eigrp 1
no auto-summary
network 192.168.0.0 255.255.255.252
network 192.168.59.0 255.255.255.0
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.51.1
server-port 636
ldap-base-dn cn=users,dc=spicerslocal
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=users,dc=*****
sasl-mechanism digest-md5
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Main-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
group-policy GroupPolicy_AnyC-SSL-VPN internal
group-policy GroupPolicy_AnyC-SSL-VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value *****
webvpn
anyconnect profiles value AnyC-SSL-VPN_client_profile type user
username Dave password ***** encrypted privilege 15
username Don password ***** encrypted privilege 15
tunnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
: endHi Dave,
It seems to be an issue with the NAT, I saw your VPN configuration:
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
unnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
access-list VPN standard permit 192.168.0.0 255.255.0.0
You will need to set up a NAT exemption as follow:
object-group network obj-192.168.59.0-Pool
network-object 192.168.59.0 255.255.255.0
object-group network obj-192.168.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
Please proceed to rate and mark as correct this post, if it helps!
David Castro,
Regards, -
Issues with multiple subnets - ASA5510 to Vigor 2820 VPN
Hi there,
I am hoping someone here can help. I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office. We have an ASA 5510 in London, talking to a Vigor 2820 in Edinburgh.
The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall.
The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there.
I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel. However, I have had much trouble adding additional subnets for our VLANs in London.
What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules. Looking at these rules though, I can't spot the problem. Multiple changes of order of the rules, and reloads have not sorted out the problem. When I run a packet trace on the main subnet it works fine. I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
Firstly, here's the ASA config that seemed relevant. I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5 group 1 lifetime 28800crypto isakmp nat-traversal 30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
Note: [branch peer ip] replaces any instances of the branch office outside IP address
I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem. I'd really appreciate any suggestions on how to track this down.
Here's the vigor config:
So it looks to match ok to me at both ends, unless there is something I missed. The vigor routing table shows:
Key: C - connected, S - static, R - RIP, * - default, ~ - private* 0.0.0.0/ 0.0.0.0 via [ISP gateway server], WAN1S [branch peer ip]/ 255.255.255.255 via [branch peer ip], WAN1S~ 192.168.40.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.50.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.10.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.0.0/ 255.255.255.0 via [London office ip], VPNC~ 192.168.2.0/ 255.255.255.0 is directly connected, LANS~ 192.168.7.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.30.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.20.0/ 255.255.255.0 via [London office ip], VPN* [ISP dns server]/ 255.255.255.255 via [ISP gateway server], WAN1
I have replaced IPs here as is shown. You can see the vigor seems to want to route the appropriate traffic over the VPN.
Finally, here is the packet trace output:
ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 192.168.50.0 255.255.255.0 insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in id=0x4529e48, priority=12, domain=permit, deny=false hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4 Type: IP-OPTIONSSubtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x44057f0, priority=0, domain=permit-ip-option, deny=true hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5 Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6 Type: NAT Subtype: rpf-checkResult: ALLOW Config: nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any dynamic translation to pool 10 (external [Interface PAT]) translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any dynamic translation to pool 10 (external [Interface PAT]) translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9 Type: VPN Subtype: encryptResult: DROP Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=192.168.2.0, mask=255.255.255.0, port=0Result: input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So it seems to find the rule, which it ought to match, but then returns DENY. What's going on here? Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
For further information, this is output for the WORKING subnet - I have just taken a small part here though:
Phase: 10 Type: VPN Subtype: encryptResult: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=192.168.2.0, mask=255.255.255.0, port=0
Thanks very much in advance for any help you can provide - I've been really stuck on this one!
ChrisHi,
Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
Also issue the command twice.
Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
And looking at your configurations, it should be like this
access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
- Jouni
Maybe you are looking for
-
Click attribute in textFlow anchor tag in Flash Builder 4
Hi folks, At first congratulation to you, Adobe and Flex team for Adobe Flash Builder 4 & flex 4 SDK final release... then, I have a click attribute in my textFlow anchor tag, just like this: <fx:Script> <![CDATA[ import mx.controls.Alert;
-
My menu is all greyed out, the only available option is "get more 3d content": Any suggestions? I have a HP Pavilon dv7 intel i7 with a HD Grpahic (3000 i think) Family video card. Adobe Photoshop Version: 2014.2.2 20141204.r.310 2014/12/04:23:59:59
-
Vendor bal.in foreign curr. std. report
hiii.. tell me the std.report t.codefor get vendor bal. in foreign curr. thnaks Rekha sharma
-
Stopping a while-loop in a sub-vi
Hello, I want to stop a while loop that runs in a sub-vi. It does not work with a local variable, is there a possibility to implement this without using global variables? Many thanks !
-
I'm listenting to my ipod nano and it shuts off automatically for no reason. I hit the play button and it starts again but shuts off 30 seconds later. Anyone have this problem? Any thoughts on how to fix?