Interperting sh crypto ipsec sa command in ASA5505

Unanswered Question
May 13th, 2010

Trying to verify that there is no restricted traffic traveling through the vpn tunnel. That the vpn tunnel acts like a trusted network and all ports and protocols are passed and not blocked.

After entering "sh crypto ipsec sa" command, there are a couple of lines that I wanted to confirm with someone here who might know.

Asa5505-1

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)

ASA5505-2

local ident (addr/mask/prot/port): (10.4.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.5.0/255.255.255.0/0/0)

Do these lines from the sh crypto ipec sa show that the traffic going through the tunnel is unrestricted? In particular the zero's for the protocol and ports that are in bold? Does that represent ANY protocol, ANY port?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 05/13/2010 - 07:05

It represents any IP packet (because IPSEC is transported in IP) which includes TCP/UDP/ICMP and any port number. Easiest way to verify is simply to look at your crypto acl.

Jon

razorbakill Thu, 05/13/2010 - 15:40

I have checked my acl's repeatedly. The reason I'm asking this question is that I have one site to site vpn tunnel up and running. The original networks that are associated with this tunnel are 10.1.1.0 (class c) to 10.4.1.0 (class c). This works just fine, all traffic is passed no matter the protocol or port. But I added another set of networks to the tunnel (same site to site tunnel), 10.1.5.0 (class c) to 10.4.5.0 (class c). When I check connectivity between these networks (10.1.5.0 to 10.4.5.0) I can ping accross the tunnel back and forth. But I can't get passed pinging between the added networks. It seems I can't have any tcp sessions. I tried RDP from one pc to another, telnetting to cisco devices, etc. No go. The only thing I can do between these 2nd pair of networks is ping. Do you know if this is even possible between two asa5505 with the basic license running version 7.24? Anything you might know to help me resolve this issue would be most appreciated. My running config's are attached along with the sh crypto ipsec sa configs.

Thanks

Actions

This Discussion