Trouble with ACL in ASA-5504 IPSec config

Answered Question
Feb 21st, 2008
User Badges:

I'm trying to get an IPSec tunnel up between two ASA-5540s. There is a PC (SunMed_PC) behind ASA-5540-B and a laptop (GHC-laptop) behind ASA-5540-A. If the crypto map allows all IP, via the outside_cryptomap ACL, then the tunnel comes up an FTP session is established.


But, when I restrict the traffic to FTP, the following error log message is generated:


...Group = 164.72.1.147, IP = 164.72.1.147, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 164.72.1.155/255.255.255.255/6/0 local proxy 164.72.1.135/255.255.255.255/6/21 on interface outside


Here are the configs giving only the pertinent commands. I added the ACL 100 and 'access-group 100 in interface inside', but that didn't change the error.


Any idea what I am missing?


ROC-ASA5540-A

names

name 164.72.1.135 GHC_Laptop description For VPN testing

name 164.72.1.155 SunMed_pc description For VPN testing

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 164.72.1.129 255.255.255.240

!

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 164.72.1.145 255.255.255.248

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

access-list 100 extended permit ip any any

asdm image disk0:/asdm-603.bin

access-group 100 in interface inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 164.72.1.147

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy Lan-2-Lan_only internal

group-policy Lan-2-Lan_only attributes

vpn-filter none

vpn-tunnel-protocol IPSec

tunnel-group 164.72.1.147 type ipsec-l2l

tunnel-group 164.72.1.147 general-attributes

default-group-policy Lan-2-Lan_only

tunnel-group 164.72.1.147 ipsec-attributes

pre-shared-key *

!

: end

----------------------------------------------------------------------------------------------------------


ROC-ASA5540-B# sh run

ASA Version 8.0(3)

!

names

name 164.72.1.135 GHC_laptop

name 164.72.1.155 SunMed_PC

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 164.72.1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 164.72.1.147 255.255.255.248

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

access-list 100 extended permit ip any any

asdm image disk0:/asdm-603.bin

access-group 100 in interface inside

route outside 164.72.1.128 255.255.255.240 GHC-Medical 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer GHC-Medical

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy Lan-2-Lan internal

group-policy Lan-2-Lan attributes

vpn-tunnel-protocol IPSec

tunnel-group 164.72.1.145 type ipsec-l2l

tunnel-group 164.72.1.145 general-attributes

default-group-policy Lan-2-Lan

tunnel-group 164.72.1.145 ipsec-attributes

pre-shared-key *

: end



Correct Answer by DrD3m3nt0 about 9 years 3 months ago

Your acl mapped on the crypto map is suspect on the first device :


access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1


The source port should not be defined since it

is dynamic.



The second acl appears corrected :


access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
justinlala Thu, 02/21/2008 - 12:02
User Badges:

It looks to me that one access list has a restriction to port 21 and the other does not. I have seen this cause similar issues in the past.

jkeeffe Thu, 02/21/2008 - 12:13
User Badges:

Is there a config guide that explains how to set up a working tunnel and restricting what TCP ports can bring up the tunnel? All the PDF config examples I've been able to find only describe permitting/denying IP traffic - nothing more granular.

justinlala Thu, 02/21/2008 - 13:35
User Badges:

I don't know of any guides and i did just search and couldnt find any.


I would suggest removing the "eq ftp" from the crypto ACL on ASA 5540-A. That may resolve your issue. The access lists on both sides have to match up and i dont think the "eq ftp" is needed because of the object-group.


Also, which pc is the ftp server and which is the client?

jkeeffe Thu, 02/21/2008 - 13:40
User Badges:

The GHC_PC (164.72.1.135) is the FTP server. I can remove the "eq ftp" from th A box, but I want to be able to restrict to only FTP on ports between both devices. Maybe I'm not understanding how the object-group works as regards to source/destination ports.

acomiskey Thu, 02/21/2008 - 13:40
User Badges:
  • Green, 3000 points or more

Interesting traffic access lists are not meant to be extended acl's, meaning they should not include port information. If you want to limit the traffic which goes over the tunnel, there are ways to do this, but trying to limit what brings the tunnel up won't work well.

jkeeffe Fri, 02/22/2008 - 10:37
User Badges:

I checked out the link that justinlala sent and was able to restrict traffic through the tunnel using the method of creating an ACL and applying it to the Lan-2-lan group-policy.


So what this means is that I cannot get granular on what is 'interesting traffic' - I can't use an extended ACL. So that means that anything can/will bring the tunnel up and then the group-policy ACL will restrict the traffic after that?


That doesn't seem very well thought out by Cisco - and it certainly isn't very elegant. With Cisco IOS and the Cisco Concentrator, one can be very granular on what is considered 'interesting traffic'. Why would the ASA force one to bring a tunnel up and then restrict traffic? I don't even know if that would pass security muster.


Am I still missing something here?

Correct Answer
DrD3m3nt0 Thu, 02/21/2008 - 22:01
User Badges:

Your acl mapped on the crypto map is suspect on the first device :


access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1


The source port should not be defined since it

is dynamic.



The second acl appears corrected :


access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1


Actions

This Discussion