Site to Site VPN one way traffic

Answered Question
Jun 10th, 2010

Hi all,


I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505.  I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through.  Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.


REMOTE Network is 192.168.72.0


: Saved

: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

!

ASA Version 8.0(5)

!

hostname Casa

domain-name uk

enable password VgZT0UwPdkSV9l7N encrypted

passwd zlo5ImUVRkHl4lcl encrypted

names

name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance

name 192.168.3.12 tney description tney

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.123 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.103.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

boot system disk0:/asa707-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name uk

object-group network ExternalAccess

description Hosts allowed direct web access

network-object SVR-01 255.255.255.255

network-object SVR-GIS 255.255.255.255

network-object host Tntu

network-object host tney

object-group network ExternalAccessFromDMZ

description Hosts allowed direct web access from DMZ

network-object CITRIX-Appliance 255.255.255.255

network-object IRONPORT1 255.255.255.255

network-object worker 255.255.255.255

object-group service MitelUDPinternet udp

description Mitel UDP services needed from internet

port-object range 20000 27000

port-object eq sip

port-object eq 5064

object-group service MitelTCPinternet tcp

description Mitel TCP services needed from internet

port-object eq 2114

port-object eq 2116

port-object eq 35000

port-object eq 37000

port-object eq 3998

port-object range 6801 6802

port-object eq 6880

port-object eq www

port-object eq https

port-object eq 6800

port-object eq 3478

port-object eq sip

port-object eq ssh

object-group service MitelTCPinternetOpt tcp

description Mitel TCP optional services from internet

port-object eq 3300

port-object range 6806 6807

port-object range 36005 36005

port-object range 36005 36006

port-object eq 3478

port-object eq sip

object-group service MitelUDP2LAN udp

description Mitel UDP services needed to LAN

port-object range 1024 65535

port-object eq sip

object-group service MitelTCP2LAN tcp

description Mitel TCP services needed to LAN

port-object eq 2114

port-object eq 2116

port-object eq 35000

port-object eq 37000

port-object eq 1606

port-object eq 4443

port-object eq 3998

port-object eq 3999

port-object range 6801 6802

port-object eq 6880

port-object eq www

port-object eq https

port-object eq 3478

port-object eq sip

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended permit icmp any any unreachable

access-list acl_outside extended permit icmp any any source-quench

access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp

access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https

access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh

access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh

access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088

access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https

access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081

access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp

access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https

access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp

access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp

access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet

access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet

access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt

access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh

access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp

access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp

access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive

access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any

access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH

access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain

access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268

access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain

access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain

access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH

access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any

access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive

access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive

access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp

access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN

access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN

access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any

access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1

access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any

access-list any extended permit ip any any

access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any

access-list dmz_pnat1_outbound extended permit ip host Teleworker any

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging mail notifications

logging from-address uk

logging recipient-address [email protected] level critical

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo dmz

icmp permit any dmz

asdm image disk0:/asdm-625-53.bin

asdm location SVR-01 255.255.255.255 inside

asdm location svr-02 255.255.255.255 inside

asdm location IRONPORT1 255.255.255.255 dmz

asdm location 194.81.55.226 255.255.255.255 dmz

asdm location Server 255.255.255.255 inside

asdm location CITRIX-Appliance 255.255.255.255 dmz

asdm group ExternalAccess inside

asdm group ExternalAccessFromDMZ dmz

no asdm history enable

arp timeout 14400

global (outside) 2 x.x.x.121

global (outside) 1 x.x.x.125

global (outside) 3 Mail_Outside_AVON

global (outside) 4 Mail_Outside_AGH

global (outside) 5 teleworker_outside

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 2 access-list inside_pnat_outbound_AVON

nat (inside) 3 access-list inside_nat_AVON_Marshall

nat (inside) 1 access-list inside_pnat_outbound

nat (dmz) 0 access-list dmz_nat0_inbound outside

nat (dmz) 4 access-list dmz_pnat_outbound

nat (dmz) 5 access-list dmz_pnat1_outbound

static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255

static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255

static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255

static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255

static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255

static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255

static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255

static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http oner 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer r.r.r.244

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh x.x.x.x 255.255.255.255 outside

ssh Mail_Inside_AGH 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server SVR-DC1 source inside prefer

group-policy VPN internal

group-policy VPN attributes

wins-server value 192.168.x.x 192.168.x.x

dns-server value 192.168.x.x 192.168.x.x

ipsec-udp enable

default-domain value ACE

username VPN password pmmPwcDD/inpnNfB encrypted privilege 0

username VPN attributes

vpn-group-policy VPN

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool vpnpool

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key ******

tunnel-group r.r.r.244 type ipsec-l2l

tunnel-group r.r.r.244 ipsec-attributes

pre-shared-key ****

tunnel-group-map default-group r.r.r.244

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect sip

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8360816431357f109b3c4b950d545c86

: end

Correct Answer by edadios about 6 years 8 months ago

this route overlaps with the remote network

route inside 192.168.0.0 255.255.0.0 192.168.3.3 1


I suggest either making this more specific subnet or adding something like


route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip


Otheriwse, if above does not help, do packet tracer  to simulate the same traffic that is failing on the 5510.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788


Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Thu, 06/10/2010 - 06:36

Hi Conleth,


From the corporate side test if you can PING the remote's inside IP.

To do that, you need the following command on both ASAs: ''management-access inside''

Then, from the corporate ASA ''ping inside x.x.x.x'' --> x.x.x.x is the IP of the inside interface of the remote ASA


If it works, let us know the IP source and destination of the connection that does not work.


Federico.

condonnelly Thu, 06/10/2010 - 06:49

Hi Federico,


Thanks for the reply, i have tried this and it doesn't work either way the corporate network 192.168.3.0 and the remote 192.168.72.0.


however i can access everything on the corporate network from the remote network


Conleth

Federico Coto F... Thu, 06/10/2010 - 07:04

Conleth,


You're saying that you cannot access the remote network from the corporate network.

So, you cannot access 192.168.72.x from 192.168.3.x


What happen if you clear the tunnel and try to initiated from the corporate side?

Does the tunnel comes up?

Check the ''sh cry ips sa '' to see if you get packets encrypted/decrypted.


Also, sometimes people configure a VPN endpoint to be either ''originate-only'' or ''answer-only'' instead than bidirectional.

Make sure the remote site is not set to ''originate-only''


Federico.

condonnelly Thu, 06/10/2010 - 07:25

The corporate firewall seems to drop any packets for the 192.168.72.0 network when viewing the logs.  Both sides are set to bidirectional,



sh cry ips sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.123

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.1.1/255.255.255.255/0/0)
      current_peer: x.x.x.x, username: VPN
      dynamic allocated peer ip: 172.31.1.1

      #pkts encaps: 6034, #pkts encrypt: 6034, #pkts digest: 6034
      #pkts decaps: 8704, #pkts decrypt: 8704, #pkts verify: 8704
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6034, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.123/10000, remote crypto endpt.: x.x.x.x/54669
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: ECB54178
      current inbound spi : CB9F8476

    inbound esp sas:
      spi: 0xCB9F8476 (3416228982)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  UDP-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 24248
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xECB54178 (3971301752)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  UDP-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 24248
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.123

      access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
      current_peer: r.r.r.244

      #pkts encaps: 3449, #pkts encrypt: 3449, #pkts digest: 3449
      #pkts decaps: 3727, #pkts decrypt: 3727, #pkts verify: 3727
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3449, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.123, remote crypto endpt.: x.x.x.244

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: F26A6B87
      current inbound spi : 762F116C

    inbound esp sas:
      spi: 0x762F116C (1982796140)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914502/9800)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xF26A6B87 (4067060615)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914031/9799)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa#


Thanks,


Conleth

Federico Coto F... Thu, 06/10/2010 - 07:39

Conleth,


If you look at this:


##########################################################


local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
      current_peer: r.r.r.244

      #pkts encaps: 3449, #pkts encrypt: 3449, #pkts digest: 3449
      #pkts decaps: 3727, #pkts decrypt: 3727, #pkts verify: 3727


##########################################################


It shows the ASA is receiving (decrypting) and sending (encrypting) traffic to 192.168.72.x


You said that from the corporate network, you cannot PING the inside IP of the remote VPN endpoint?

Do you have the configuration that you can post?


Federico.

condonnelly Thu, 06/10/2010 - 07:51

Hi  Federico


Here is the config for the remote site,



This is what i see on the corporate firewall when i try a remote desktop connection to 192.168.72.10



2Jun 10 201015:50:40106001D_Toner58309192.168.72.103389Inbound TCP connection denied from D_Toner/58309 to 192.168.72.10/3389 flags SYN on interface inside




: Saved

: Written by enable_15 at 14:43:47.640 UTC Thu Jun 10 2010

!

ASA Version 8.2(1)

!

hostname asa

domain-name uk

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.72.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.244 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name uk

access-list outside_access_in extended permit icmp any any echo-reply

access-list inside_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.72.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.5 255.255.255.255 inside

http 192.168.72.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer X.X.X.123

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.72.5-192.168.72.36 inside

dhcpd dns 192.168.3.251 212.108.88.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.3.252 source inside prefer

webvpn

tunnel-group X.X.X.123 type ipsec-l2l

tunnel-group X.X.X.123 ipsec-attributes

pre-shared-key *****

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

inspect dns

inspect esmtp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect icmp

inspect netbios

!

service-policy global-policy global

prompt hostname context

Cryptochecksum:0433906825b992790dea0664553c1a03

: end

Federico Coto F... Thu, 06/10/2010 - 08:19

You're getting this message on the corporate ASA 5510??


Inbound TCP connection denied from D_Toner/58309
to 192.168.72.10/3389 flags SYN on interface inside


The above message is saying that the ASA is denying this TCP connection on its inside
interface when it comes from 192.168.3.69 on port 58309 when going to 192.168.72.10 on port 3389


Is because I don't see an ACL applied to the inside interface of the 5510.
Could you verify this with ''sh run access-group''


Federico.

condonnelly Thu, 06/10/2010 - 08:28

Thanks,


this is what i get


asa# sh run access-group
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
asa#

Federico Coto F... Thu, 06/10/2010 - 08:39

Can you confirm that this error:


Inbound TCP connection denied from D_Toner/58309
to 192.168.72.10/3389 flags SYN on interface inside


You're seeing it on the corporate ASA 5510 and not on the remote?


Federico.

condonnelly Thu, 06/10/2010 - 08:45

Yes i recieve this on the corporate firewall, from the remote site i can access the corporate network with no problems at all, i can remote desktop, do domain lookup and browse network drives.

Federico Coto F... Thu, 06/10/2010 - 09:06

Ok, it is strange indeed.
Can you do a test?


The corporate ASA is telling us that it's not going to allow a TCP SYN connection from 192.168.3.69 to
192.168.72.70 on those ports.
There is no ACL applied to the inside interface as we checked.


So, using Packet-Tracer you can simulate the connection and have the ASA tell you which process is preventing
this connection from establishing.
The Packet Tracer test should let us know why the ASA is denying the connection even though there's no rule
blocking it.


Federico.

condonnelly Thu, 06/10/2010 - 09:23

Sorry forgot to change the interface,  This shows it as if it

is the implicit deny, i have tried adding additional access rule to allow any any but it still shows the same

Attachment: 
Federico Coto F... Thu, 06/10/2010 - 10:01

The result clearly states that the ACL is blocking the traffic.


Could you do this:


access-list inside permit ip any any

access-group inside in interface inside


Actually the above lines is exactly as not having an ACL at all on the inside interface, but since we're having this problem, I'll suggest adding the rule and doing the Packet Tracer test again please.


Federico.

condonnelly Fri, 06/11/2010 - 02:29

Hi Federico,


Sorry it took so long to get back to you, i had tried this already however i have tried this again and the same thing happening



2Jun 11 201010:21:34106001D_Toner49726192.168.72.103389Inbound TCP connection denied from D_Toner/49726 to 192.168.72.10/3389 flags SYN on interface inside



i am at a complete loss with this, any other suggestions.


Thanks,

Con

Correct Answer
edadios Fri, 06/11/2010 - 07:30

this route overlaps with the remote network

route inside 192.168.0.0 255.255.0.0 192.168.3.3 1


I suggest either making this more specific subnet or adding something like


route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip


Otheriwse, if above does not help, do packet tracer  to simulate the same traffic that is failing on the 5510.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788


Regards,

condonnelly Tue, 06/15/2010 - 02:26

I am sorry but i am not really sure

what you mean by this.  Can you break it down

a bit as to what you think i should try.


Thanks

edadios Tue, 06/15/2010 - 05:09

On firewall "hostname casa" you have route


route inside 192.168.0.0 255.255.0.0 192.168.3.3 1



You match address for the crypto map to encrypt is


access-list outside_1_cryptomap extended permit ip  192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0


The remote network on "hostname asa" has the network 192.168.72.0 255.255.255.0


However, because of your route inside statement (on hostname casa) , you are saying the network 192.168.72.0 is on the inside.



To correct this, you can add the following on hostname casa firewall


route outside 192.168.72.0 255.255.255.0 X.X.X.254


Point it to the outside, so the traffic will be sent to the outside interface, and then be hitting the crypto process and sent to the peer.


Regards,

Actions

This Discussion