02-21-2008 10:04 AM - edited 02-21-2020 03:34 PM
I'm trying to get an IPSec tunnel up between two ASA-5540s. There is a PC (SunMed_PC) behind ASA-5540-B and a laptop (GHC-laptop) behind ASA-5540-A. If the crypto map allows all IP, via the outside_cryptomap ACL, then the tunnel comes up an FTP session is established.
But, when I restrict the traffic to FTP, the following error log message is generated:
...Group = 164.72.1.147, IP = 164.72.1.147, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 164.72.1.155/255.255.255.255/6/0 local proxy 164.72.1.135/255.255.255.255/6/21 on interface outside
Here are the configs giving only the pertinent commands. I added the ACL 100 and 'access-group 100 in interface inside', but that didn't change the error.
Any idea what I am missing?
ROC-ASA5540-A
names
name 164.72.1.135 GHC_Laptop description For VPN testing
name 164.72.1.155 SunMed_pc description For VPN testing
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 164.72.1.129 255.255.255.240
!
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 164.72.1.145 255.255.255.248
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1
access-list 100 extended permit ip any any
asdm image disk0:/asdm-603.bin
access-group 100 in interface inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 164.72.1.147
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 1 set nat-t-disable
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy Lan-2-Lan_only internal
group-policy Lan-2-Lan_only attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group 164.72.1.147 type ipsec-l2l
tunnel-group 164.72.1.147 general-attributes
default-group-policy Lan-2-Lan_only
tunnel-group 164.72.1.147 ipsec-attributes
pre-shared-key *
!
: end
----------------------------------------------------------------------------------------------------------
ROC-ASA5540-B# sh run
ASA Version 8.0(3)
!
names
name 164.72.1.135 GHC_laptop
name 164.72.1.155 SunMed_PC
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 164.72.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 164.72.1.147 255.255.255.248
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1
access-list 100 extended permit ip any any
asdm image disk0:/asdm-603.bin
access-group 100 in interface inside
route outside 164.72.1.128 255.255.255.240 GHC-Medical 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer GHC-Medical
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 1 set nat-t-disable
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy Lan-2-Lan internal
group-policy Lan-2-Lan attributes
vpn-tunnel-protocol IPSec
tunnel-group 164.72.1.145 type ipsec-l2l
tunnel-group 164.72.1.145 general-attributes
default-group-policy Lan-2-Lan
tunnel-group 164.72.1.145 ipsec-attributes
pre-shared-key *
: end
Solved! Go to Solution.
02-21-2008 10:01 PM
Your acl mapped on the crypto map is suspect on the first device :
access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1
The source port should not be defined since it
is dynamic.
The second acl appears corrected :
access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1
02-21-2008 12:02 PM
It looks to me that one access list has a restriction to port 21 and the other does not. I have seen this cause similar issues in the past.
02-21-2008 12:13 PM
Is there a config guide that explains how to set up a working tunnel and restricting what TCP ports can bring up the tunnel? All the PDF config examples I've been able to find only describe permitting/denying IP traffic - nothing more granular.
02-21-2008 01:35 PM
I don't know of any guides and i did just search and couldnt find any.
I would suggest removing the "eq ftp" from the crypto ACL on ASA 5540-A. That may resolve your issue. The access lists on both sides have to match up and i dont think the "eq ftp" is needed because of the object-group.
Also, which pc is the ftp server and which is the client?
02-21-2008 01:40 PM
The GHC_PC (164.72.1.135) is the FTP server. I can remove the "eq ftp" from th A box, but I want to be able to restrict to only FTP on ports between both devices. Maybe I'm not understanding how the object-group works as regards to source/destination ports.
02-21-2008 01:40 PM
Interesting traffic access lists are not meant to be extended acl's, meaning they should not include port information. If you want to limit the traffic which goes over the tunnel, there are ways to do this, but trying to limit what brings the tunnel up won't work well.
02-21-2008 02:46 PM
I think this document will help you.
02-22-2008 10:37 AM
I checked out the link that justinlala sent and was able to restrict traffic through the tunnel using the method of creating an ACL and applying it to the Lan-2-lan group-policy.
So what this means is that I cannot get granular on what is 'interesting traffic' - I can't use an extended ACL. So that means that anything can/will bring the tunnel up and then the group-policy ACL will restrict the traffic after that?
That doesn't seem very well thought out by Cisco - and it certainly isn't very elegant. With Cisco IOS and the Cisco Concentrator, one can be very granular on what is considered 'interesting traffic'. Why would the ASA force one to bring a tunnel up and then restrict traffic? I don't even know if that would pass security muster.
Am I still missing something here?
02-21-2008 10:01 PM
Your acl mapped on the crypto map is suspect on the first device :
access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1
The source port should not be defined since it
is dynamic.
The second acl appears corrected :
access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide