cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4160
Views
0
Helpful
7
Replies

Site to Site (5505 to 5505)IPSEC tunnel blocking certain ports?

brian.hough
Level 1
Level 1

I'm having issues with traffic between two sites connected 5505 to 5505 (lan to lan) ipsec tunnel.  99% functionality of traffic over the tunnel seems good with one exception.  When a pc on Site A tries to access a web based(java embedded) mangagment tool for a IP_PBX at site B, some of the traffic is not making it resulting in a strange error.  The client pc can ping and hit port 80 to prompt the web GUI, gets prompted for java download, and loads the web embedded java app.  The java app itself (a CLI terminal to replicate if you were just telneting in) gives an error like it can't connect properly to the IP_PBX.  We have other sites where the ipsec tunnel is between two 2800's and there are NO issues.  The IP_PBX provider is suggesting we open up port 2000.  I'm personally not familiar with the ASA's enough to uderstand why it would be blocking only certain ports on an ipsec tunnel.  I'm especially confused since there is no NAT'ing involved with the traffic crossing this 5505 to 5505 ipsec tunnel.

Any suggestions would be greatly appreciated,

bh

I can post configs if needed, but thought someone might already be familiar with this issue.

thanks again.

1 Accepted Solution

Accepted Solutions

Ok.

What about testing with the ACL I mentioned:

access-list test2000 permit tcp/udp any host x.x.x.x eq 2000

access-list test2000 permit ip any any

access-group test2000 out interface inside

The idea is to check if the ASA is forwarding the traffic to x.x.x.x on port 2000 outbound towards the inside network.

If you see hitcounts on the first statement, the ASA is indeed forwarding the packets and the problem might be with the server itelf or with the return traffic.

Federico.

View solution in original post

7 Replies 7

Hi,

Just want to add the following...

When you use an ASA to build an IPsec tunnel, the ASA will permit all IP traffic to flow through the tunnel (this means the ASA won't block any TCP/UDP ports).

The ASA does this because of the default behavior of the command ''sysopt connection permit-vpn''

The above command allows all IPsec traffic to pass through without being checked against the outside ACL.

If you remove the command ''no sysopt connection permit-vpn'' then all traffic should be allowed by the ACL.

This being said, you can configure VPN filters to restrict some of the traffic through the tunnel.

This filters are ACLs that are applied to the group-policy for the VPN traffic.

In case you have VPN filters configured, I will check if one of them might be blocking port 2000, otherwise you can check if port 2000 is making it to its destination.

i.e

An outbound ACL applied to the inside interface.

access-list test2000 permit tcp/udp any host x.x.x.x eq 2000

access-list test2000 permit ip any any

access-group test2000 out interface inside

The above will permit (tcp/udp) port 2000 from any source to the x.x.x.x (internal IP), then will permit everything else and it's applied outbound on the inside interface.

If ''sh access-list test2000'' show hitcounts when you send traffic, then we at least know that the ASA is not blocking the traffic.

We can take it from here.

Federico.

Federico,

Our "sysopt connection permit-vpn" is in place.  I don't see that we have any vpn filters in place that would block specific ipsec traffic.  After you info in relation to ASA's allowing all ipsec traffic, I'm wondering what could be causing this.  I have lowered the inside/outside mtu's to alleviate possible fragmentation across the ipsec tunnel(not as a result of issues, but just in case).  Maybe this app doesn't like some fragmentation occuring from that lowered mtu?

  My original post doesn't make mention that these site to site ASA's are set up amongst 3 sites.  A to B and A to C (as you will notice from config below).  A's config:

ASA Version 7.2(4) 
!
hostname LBL5505
domain-name default.domain.invalid
enable password
passwd
names
name 192.168.30.0 LanBV2800
name 192.168.40.0 LanLBL
name 192.168.20.0 LanFG2800
!
interface Vlan1
description /24 via NtgearSW

              
nameif inside
security-level 100
ip address 192.168.40.1 255.255.255.0 
!
interface Vlan2
description external
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0 
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6

              
!
interface Ethernet0/7
!
banner login Private Network, access allowed for authorized personnel only!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip LanLBL 255.255.255.0 LanFG2800 255.255.255.0 
access-list inside_nat0_outbound extended permit ip LanLBL 255.255.255.0 LanBV2800 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any LanLBL 255.255.255.0 
access-list outside_1_cryptomap_1 extended permit ip LanLBL 255.255.255.0 LanBV2800 255.255.255.0 
access-list outside_2_cryptomap_1 extended permit ip LanLBL 255.255.255.0 LanFG2800 255.255.255.0 
access-list 100 extended permit ip host 192.168.30.2 host 192.168.40.2 
access-list 100 extended permit ip host 192.168.20.2 host 192.168.40.2 
access-list 105 extended permit ip host 192.168.40.2 host 192.168.30.2 
access-list 105 extended permit ip host 192.168.40.2 host 192.168.20.2 
pager lines 24
logging enable
logging asdm informational
mtu inside 1450
mtu outside 1450
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin

              
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 LanLBL 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set REMOTE_trans esp-3des esp-sha-hmac 
crypto ipsec transform-set REMOTE_trans mode transport
crypto dynamic-map dyno 10 set transform-set REMOTE_trans

              
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap_1
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer x.x.x.x 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 ipsec-isakmp dynamic dyno
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
ssh version 2

              
console timeout 0
dhcpd auto_config outside
!

priority-queue outside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall

              
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn

              
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy REMOTE_policy internal
group-policy REMOTE_policy attributes
dns-server value x.x.x.x x.x.x.x
vpn-tunnel-protocol l2tp-ipsec 

              
username ptci password
username root password
tunnel-group DefaultRAGroup general-attributes
address-pool REMOTE_pool
default-group-policy REMOTE_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map VOICE-OUT
match access-list 105
class-map VOICE-IN
match access-list 100
!
!

              
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
policy-map VOICE
class VOICE-IN
  priority
class VOICE-OUT
  priority

              
!
service-policy global_policy global
service-policy VOICE interface outside
prompt hostname context 
Cryptochecksum:36e492eae537af6b97679b00256b8a75
: end

Ok.

What about testing with the ACL I mentioned:

access-list test2000 permit tcp/udp any host x.x.x.x eq 2000

access-list test2000 permit ip any any

access-group test2000 out interface inside

The idea is to check if the ASA is forwarding the traffic to x.x.x.x on port 2000 outbound towards the inside network.

If you see hitcounts on the first statement, the ASA is indeed forwarding the packets and the problem might be with the server itelf or with the return traffic.

Federico.

I will certainly try that acl, probably next week.  Just as an fyi, when you access the same webgui from a pc that is in the same subnet(aka physically on the same layer 2 switch), it works just fine.  For that matter, it even works fine across a 2800 to 2800 ipsec tunnel.  It is only when the traffic traverses a tunnel between two 5505's.  I'm also seeing that it won't work when I'm vpn'd(pc to asa) into this ASA, despite being able to ping and load the webpage of the ip_pbx.

bh

update:  I just had time to review my packet captures (one of a good session locally and one of a bad session via ipsec tunnel).  Port 2000 is traversing the tunnel just fine!  I'm going back to IP_PBX vendor for a different direction.    Will update results shortly.

bh

Turning off inspections for skinny (port 2000) on our ASA, resolved the issue.  We have had intermittent reports of call setup issues to this site

, can anyone suggest what existing inspections I might want to consider for disabling in addition to skinny?  My guesses of course are for the h323's at minimum?

thnx,

bh

Just getting around to updating this post:

The intermittent call issues were in relation to user licensing at one ASA location.  We only had a 10 user license at a location that was exceeding that limit.  The intermittent issues were being caused by phone calls that terminated to ip handsets who were not on the "10 user list" at that time.  You could wait a short period and then a call to the same extension (phone) would work just fine.  In the short wait, an idle user would drop off the 10 list and the previously broken phone would gain access to packet flow.

bh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: