Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1395
Views
3
Helpful
8
Replies

Trouble with ACL in ASA-5504 IPSec config

Go to solution
jkeeffe
Level 2
Level 2

‎02-21-2008 10:04 AM - edited ‎02-21-2020 03:34 PM

I'm trying to get an IPSec tunnel up between two ASA-5540s. There is a PC (SunMed_PC) behind ASA-5540-B and a laptop (GHC-laptop) behind ASA-5540-A. If the crypto map allows all IP, via the outside_cryptomap ACL, then the tunnel comes up an FTP session is established.

But, when I restrict the traffic to FTP, the following error log message is generated:

...Group = 164.72.1.147, IP = 164.72.1.147, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 164.72.1.155/255.255.255.255/6/0 local proxy 164.72.1.135/255.255.255.255/6/21 on interface outside

Here are the configs giving only the pertinent commands. I added the ACL 100 and 'access-group 100 in interface inside', but that didn't change the error.

Any idea what I am missing?

ROC-ASA5540-A

names

name 164.72.1.135 GHC_Laptop description For VPN testing

name 164.72.1.155 SunMed_pc description For VPN testing

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 164.72.1.129 255.255.255.240

!

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 164.72.1.145 255.255.255.248

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

access-list 100 extended permit ip any any

asdm image disk0:/asdm-603.bin

access-group 100 in interface inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 164.72.1.147

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy Lan-2-Lan_only internal

group-policy Lan-2-Lan_only attributes

vpn-filter none

vpn-tunnel-protocol IPSec

tunnel-group 164.72.1.147 type ipsec-l2l

tunnel-group 164.72.1.147 general-attributes

default-group-policy Lan-2-Lan_only

tunnel-group 164.72.1.147 ipsec-attributes

pre-shared-key *

!

: end

----------------------------------------------------------------------------------------------------------

ROC-ASA5540-B# sh run

ASA Version 8.0(3)

!

names

name 164.72.1.135 GHC_laptop

name 164.72.1.155 SunMed_PC

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 164.72.1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 164.72.1.147 255.255.255.248

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

access-list 100 extended permit ip any any

asdm image disk0:/asdm-603.bin

access-group 100 in interface inside

route outside 164.72.1.128 255.255.255.240 GHC-Medical 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer GHC-Medical

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy Lan-2-Lan internal

group-policy Lan-2-Lan attributes

vpn-tunnel-protocol IPSec

tunnel-group 164.72.1.145 type ipsec-l2l

tunnel-group 164.72.1.145 general-attributes

default-group-policy Lan-2-Lan

tunnel-group 164.72.1.145 ipsec-attributes

pre-shared-key *

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DrD3m3nt0
Level 1
Level 1

‎02-21-2008 10:01 PM

Your acl mapped on the crypto map is suspect on the first device :

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

The source port should not be defined since it

is dynamic.

The second acl appears corrected :

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

View solution in original post

0 Helpful
8 Replies 8

Go to solution
justinlala
Level 1
Level 1

‎02-21-2008 12:02 PM

It looks to me that one access list has a restriction to port 21 and the other does not. I have seen this cause similar issues in the past.

0 Helpful

Go to solution
jkeeffe
Level 2
Level 2

‎02-21-2008 12:13 PM

Is there a config guide that explains how to set up a working tunnel and restricting what TCP ports can bring up the tunnel? All the PDF config examples I've been able to find only describe permitting/denying IP traffic - nothing more granular.

0 Helpful

Go to solution
justinlala
Level 1
Level 1
In response to jkeeffe

‎02-21-2008 01:35 PM

I don't know of any guides and i did just search and couldnt find any.

I would suggest removing the "eq ftp" from the crypto ACL on ASA 5540-A. That may resolve your issue. The access lists on both sides have to match up and i dont think the "eq ftp" is needed because of the object-group.

Also, which pc is the ftp server and which is the client?

0 Helpful

Go to solution
jkeeffe
Level 2
Level 2
In response to justinlala

‎02-21-2008 01:40 PM

The GHC_PC (164.72.1.135) is the FTP server. I can remove the "eq ftp" from th A box, but I want to be able to restrict to only FTP on ports between both devices. Maybe I'm not understanding how the object-group works as regards to source/destination ports.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to justinlala

‎02-21-2008 01:40 PM

Interesting traffic access lists are not meant to be extended acl's, meaning they should not include port information. If you want to limit the traffic which goes over the tunnel, there are ways to do this, but trying to limit what brings the tunnel up won't work well.

0 Helpful

Go to solution
jkeeffe
Level 2
Level 2
In response to acomiskey

‎02-22-2008 10:37 AM

I checked out the link that justinlala sent and was able to restrict traffic through the tunnel using the method of creating an ACL and applying it to the Lan-2-lan group-policy.

So what this means is that I cannot get granular on what is 'interesting traffic' - I can't use an extended ACL. So that means that anything can/will bring the tunnel up and then the group-policy ACL will restrict the traffic after that?

That doesn't seem very well thought out by Cisco - and it certainly isn't very elegant. With Cisco IOS and the Cisco Concentrator, one can be very granular on what is considered 'interesting traffic'. Why would the ASA force one to bring a tunnel up and then restrict traffic? I don't even know if that would pass security muster.

Am I still missing something here?

0 Helpful

Go to solution
DrD3m3nt0
Level 1
Level 1

‎02-21-2008 10:01 PM

Your acl mapped on the crypto map is suspect on the first device :

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

The source port should not be defined since it

is dynamic.

The second acl appears corrected :

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

0 Helpful
Customers Also Viewed These Support Documents