ASA 5505 pinhole to device between site to site VPN.

Unanswered Question
Oct 23rd, 2009

How do you open up a pinhole using port 3001 to devices with a site-to-site VPN?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
SNChelpdesk Fri, 10/23/2009 - 06:26

I have a site-to-site VPN. I have a device in one location and the software in the other in which they need in to interchange on port 3001. I haven't been able to figure out how to get both the device and software to communicate.

OK - with that in mind, can you answer:-

1) From thje remote end, can you ping the "device"?

2) From a computer that is running the software can it ping the "device" ?

3) Can the "device" ping the remote computer trying to access the software?

4) Do you control both ends of the VPN tunnel?

5) Are you blocking traffic at one end or both ends?

SNChelpdesk Fri, 10/23/2009 - 06:35

1) I can ping the device on the inside of one end but not the other.

2) I can't ping the device across the tunnel at all.

3) I can control both ends of the tunnel.

Panos Kampanakis Fri, 10/23/2009 - 06:29

You mean you want hosts in site1 to be able to talk to hosts in site2 on port 3001 through the site2site VPN?

In that case you need to make sure that this port is include in the crypto-map ACL of course so it goes encrypted and also if you have ACLs blocking that port on the inside of the sites open those up.

I hope it helps.

PK

SNChelpdesk Fri, 10/23/2009 - 06:31

That helps but I'm new at this can you explain on how to setup those actions.

SNChelpdesk Fri, 10/23/2009 - 06:59

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_nat0_outbound remark For remote access clients

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 65.82.224.50 host MorganCityPublic

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list MUVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list SNC_splitTunnelAcl standard permit any

access-list outside_nat0_outbound_3 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound

One Side:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.224.50 255.255.255.248

extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Local_LAN_Access standard permit host 0.0.0.0

SNChelpdesk Fri, 10/23/2009 - 07:00

Second Side:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.227.138 255.255.255.248

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.2.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.4.5.0 255.255.255.224

access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list outside_6_cryptomap extended permit ip host 192.168.2.60 192.168.7.0 255.255.255.0

access-list outside_cryptomap_6 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list outside_cryptomap_4 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_access_in_1 extended permit ip any any

access-list inside_access_in_1 extended permit icmp any any

access-list Mobile_splitTunnelAcl standard permit any

access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

francisco_1 Fri, 10/23/2009 - 07:42

i believe your configs looks fine. you are permiting IP on the tunnel so that should take care of your interesting traffic on the tunnel. can you ping the hosts from the pixs?

SNChelpdesk Fri, 10/23/2009 - 07:45

I can only ping the devices from the ASA side not across the tunnel.

francisco_1 Fri, 10/23/2009 - 07:51

can you do "show crypto ipsec sa" on both pix and upload the output.

francisco_1 Fri, 10/23/2009 - 08:10

tunnel from ciscoasa to ciscoasa2 is up.. tunnel is built. see below...

Crypto map tag: outside_map, seq num: 2, local addr: 65.82.224.50

access-list outside_2_cryptomap permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (Thibodaux-inside/255.255.255.0/0/0)

current_peer: 65.82.227.138

#pkts encaps: 70966519, #pkts encrypt: 70970711, #pkts digest: 70970711

#pkts decaps: 58306128, #pkts decrypt: 58306128, #pkts verify: 58306128

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 70966519, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 4192, #pre-frag failures: 0, #fragments created: 8384

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 13619

#send errors: 0, #recv errors: 0

local crypto endpt.: 65.82.224.50, remote crypto endpt.: 65.82.227.138

do you have output from ciscoasa2 to ciscoasa. cant see it! unless i am going blind!!!

francisco_1 Fri, 10/23/2009 - 08:26

OK. I am confused. I thought the ipsec problem is between 65.82.227.138 (ciscoasa2) and 65.82.224.50 (ciscoasa). is that not so?

SNChelpdesk Fri, 10/23/2009 - 08:32

there are three ASAs all with site-to-site VPN tunnels. the IPsec tunnel is between the 65.x.x.x. the 74.x.x.x is the one in which i need to get the pin holes put in.

francisco_1 Fri, 10/23/2009 - 09:00

earlier you mentioned the problem is communication between 192.168.2.0 and 192.168.1.0 subnet on port 3001 over the ipsec tunnel between 65.82.224.50 - > 65.85.227.138!!

kevin, for clarity please explain what extactly is the problem.

thanks

francisco

SNChelpdesk Fri, 10/23/2009 - 09:05

I'm sorry Francisco the problem lies between subnets 192.168.3.0/24 & 192.168.1.0/24 on port 3001.

francisco_1 Fri, 10/23/2009 - 09:23

your tunnel is up. can you ping inside interfaces from both firewalls through the tunnel. for eaxmple ping 192.168.1.1 (select outside interface)

Crypto map tag: outside_map, seq num: 1, local addr: 65.82.224.50

access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (MorganCity-inside/255.255.255.0/0/0)

current_peer: MorganCityPublic

#pkts encaps: 22361951, #pkts encrypt: 22361955, #pkts digest: 22361955

#pkts decaps: 17685532, #pkts decrypt: 17685532, #pkts verify: 17685532

Crypto map tag: outside_map, seq num: 1, local addr: 74.165.244.10

access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 65.82.224.50

#pkts encaps: 5499955, #pkts encrypt: 5499955, #pkts digest: 5499955

#pkts decaps: 6493468, #pkts decrypt: 6493468, #pkts verify: 6493468

#pkts compressed: 0, #pkts decompressed: 0

Also

Can you do debug crypto ipsec and debug crypto engine and finally clear crypto ipsec sa.

after clearing crypto ipsec sa, if it doesnt work, send me debugs output

are your hosts sitting behind the ASAs conencted to a switch? can the ASA's ping your hosts?

SNChelpdesk Fri, 10/23/2009 - 10:21

Francisco still trying to run those commands. Not able to run the debug commands from the command window line and I'm having trouble connecting via ssh any other thoughts on how to connect?

francisco_1 Fri, 10/23/2009 - 23:52

are you having difficulties connecting to both firewalls? make sure the IP you're connecting from is permited on the firewalls...

do you have console access?

Actions

This Discussion