×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5505 Can't get traffic into IPSEC tunnel...

Unanswered Question
Dec 15th, 2013
User Badges:

I'm out of ideas as to why I can't get traffic into my IPSEC tunnel.  When I create 'interesting' traffic, the tunnel comes up just fine and Phase-2 completes just fine.  When I send a packet with  SRC=192.168.27.11  and  DST=192.168.4.160    and port= TCP/21,  I always get the following error:


Inbound TCP connection denied from  192.168.27.11/4467  to  192.168.4.160/21  Flag SYN  on  Interface EXT-FTP


What am I doing wrong?


==============================================


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.12.13 08:52:04 =~=~=~=~=~=~=~=~=~=~=~=



DASS-VPN# show run

: Saved

:

ASA Version 8.2(1)

!

hostname DASS-VPN

domain-name dass

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

names

name 192.168.6.115 Remote_FTP1

name 192.168.6.116 Remote_FTP2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.28.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 123.123.123.123 255.255.254.0

!

interface Vlan3

nameif DMZ

security-level 50

ip address 192.168.1.2 255.255.255.0

!

interface Vlan4

nameif LEO-GEO_LUT

security-level 80

ip address 192.168.29.1 255.255.255.0

!

interface Vlan5

nameif EXT-FTP

security-level 70

ip address 192.168.27.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 4

!


interface Ethernet0/5

switchport access vlan 3

speed 100

duplex full

!

interface Ethernet0/6

switchport access vlan 5

speed 100

duplex full

!

interface Ethernet0/7

!

banner login This  computer is for authorized users only. By accessing this system you are

banner login consenting to complete monitoring with no expectation of privacy. Unauthorized access or use may

banner login subject you to disciplinary action and criminal prosecution.

banner motd This  computer is for authorized users only. By accessing this system you are

banner motd consenting to complete monitoring with no expectation of privacy. Unauthorized access or use may

banner motd subject you to disciplinary action and criminal prosecution.

ftp mode passive

dns server-group DefaultDNS

domain-name dass

object-group service HP-Print tcp

port-object eq 9100

object-group service KACE-AMP tcp

port-object eq 52230

object-group service RDP tcp

port-object eq 3389


access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0


access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list exclude_from_nat extended permit ip host 192.168.28.74 host 192.168.4.160

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Remote_FTP1

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Remote_FTP2


access-list toRemote extended permit ip host 192.168.28.74 host 192.168.4.160

access-list toRemote extended permit ip host 192.168.27.11 host 192.168.4.160

access-list toRemote extended permit ip host 192.168.28.72 host Remote_FTP1

access-list toRemote extended permit ip host 192.168.28.72 host Remote_FTP2 


access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data

access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo


access-list Remote_vpn_filter extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp

access-list Remote_vpn_filter extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp

access-list Remote_vpn_filter extended permit tcp host Remote_FTP2 host 192.168.28.72 eq ftp 

access-list Remote_vpn_filter extended permit tcp host Remote_FTP2 eq ftp host 192.168.28.72


access-list Remote_vpn_filter extended permit tcp host Remote_FTP1 host 192.168.28.72 eq ftp 

access-list Remote_vpn_filter extended permit tcp host Remote_FTP1 eq ftp host 192.168.28.72 


access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)

access-list outside_access_in extended permit tcp 123.123.0.0 255.255.0.0 host 123.123.188.40 eq ftp

access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.123.123 eq https

access-list outside_access_in extended permit tcp 124.124.50.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp 124.124.49.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp 124.124.48.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp host 123.123.167.110 host 123.123.123.123 eq ssh

access-list outside_access_in extended permit tcp 124.124.47.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.123.123 eq ssh

access-list outside_access_in extended permit tcp 128.154.224.0 255.255.224.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.188.40 object-group RDP

access-list outside_access_in extended permit tcp host 123.123.213.189 host 123.123.188.40 object-group RDP

access-list outside_access_in extended permit tcp host 123.123.232.102 host 123.123.188.40 object-group RDP

access-list outside_access_in extended permit tcp host 123.123.232.184 host 123.123.188.40 object-group RDP


access-list DMZ_access_in remark Allows traffic inbound from frame-relay

access-list DMZ_access_in extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp

access-list DMZ_access_in extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp

access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit ip any any


access-list inside_access_in remark Allows traffic into ASA from Inside

access-list inside_access_in extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp


access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp

access-list inside_access_in extended permit tcp any host 123.123.244.132 object-group KACE-AMP

access-list inside_access_in extended permit tcp host 192.168.28.100 host 192.168.27.11 eq ftp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any


access-list FTP-test remark For testing FTP packets

access-list FTP-test extended permit tcp host 192.168.28.72 host 192.168.4.160


access-list NEO-GEO_LUT-in remark allows traffic out of NEO-GEO net

access-list NEO-GEO_LUT-in extended permit udp any host 123.123.244.173 eq domain

access-list NEO-GEO_LUT-in extended permit udp any host 123.123.50.17 eq domain

access-list NEO-GEO_LUT-in extended permit udp any host 123.123.10.134 eq domain

access-list NEO-GEO_LUT-in extended permit tcp any host 192.168.28.143 object-group HP-Print

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.21 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.23 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.11 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.13 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended deny ip any 192.168.28.0 255.255.255.0

access-list NEO-GEO_LUT-in extended permit ip any any


access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp

access-list EXT-FTP-in remark allows traffic out of EXT-FTP network


access-list EXT-FTP-in extended permit ip any any


access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0


access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0


access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.29.0 255.255.255.0


access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 host 192.168.4.160


access-list DMZ-no-nat extended permit ip host 192.168.4.160 host 192.168.28.74

access-list DMZ-no-nat extended permit ip host 192.168.4.160 host 192.168.27.11


pager lines 24

logging enable

logging timestamp

logging monitor informational

logging trap informational

logging history notifications

logging asdm informational

logging facility 16

logging device-id hostname

logging host outside 123.123.195.171

logging host outside 123.123.167.138

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu LEO-GEO_LUT 1500


mtu EXT-FTP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any unreachable outside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list exclude_from_nat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ-no-nat

nat (LEO-GEO_LUT) 0 access-list LUT-no-nat

nat (LEO-GEO_LUT) 1 0.0.0.0 0.0.0.0

nat (EXT-FTP) 0 access-list FTP-no-nat

nat (EXT-FTP) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.28.74 https netmask 255.255.255.255

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group NEO-GEO_LUT-in in interface LEO-GEO_LUT

access-group EXT-FTP-in in interface EXT-FTP

route outside 0.0.0.0 0.0.0.0 123.123.188.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 65000

http 192.168.28.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map DassVPN 500 match address toRemote

crypto map DassVPN 500 set pfs

crypto map DassVPN 500 set peer 10.10.10.10

crypto map DassVPN 500 set transform-set ESP-3DES-MD5

crypto map DassVPN 1000 match address toTSI


crypto map DassVPN 1000 set pfs

crypto map DassVPN 1000 set peer 11.11.11.11

crypto map DassVPN 1000 set transform-set ESP-DES-MD5

crypto map DassVPN interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 500

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 1000

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 1000

telnet timeout 60

ssh 192.168.28.0 255.255.255.0 inside

ssh xxxxxxxxxxxxxx 255.255.255.255 outside

ssh xxxxxxxxxxxxxxxx 255.255.255.255 outside

ssh xxxxxxxxxxxxxxxxxxx 255.255.255.255 outside


ssh timeout 60

console timeout 60

dhcpd ping_timeout 750

dhcpd auto_config outside

!


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.28.50 source inside prefer

tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt

webvpn

group-policy RemotePolicy internal

group-policy RemotePolicy attributes

vpn-filter value Remote_vpn_filter

vpn-tunnel-protocol IPSec

group-policy TSIPolicy internal

group-policy TSIPolicy attributes

vpn-filter value tsi_policy

vpn-tunnel-protocol IPSec

username xxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15

tunnel-group 11.11.11.11 type ipsec-l2l

tunnel-group 11.11.11.11 general-attributes

default-group-policy TSIPolicy


tunnel-group 11.11.11.11 ipsec-attributes

pre-shared-key *

tunnel-group 10.10.10.10 type ipsec-l2l

tunnel-group 10.10.10.10 general-attributes

default-group-policy RemotePolicy

tunnel-group 10.10.10.10 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:fef923d5e39c88463a4148373980aea0

: end


DASS-VPN# 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abatson Tue, 12/17/2013 - 13:27
User Badges:

Here's something interesting..  When I look up the error-number on the following error, which I'm re-quoting, it doesn't seem to be an error where traffic is being dropped via an ACL, it's an error where something's being prevented by policy...  Google indicates that it may be something not working properly with the NAT or no-NAT config, surrounding my SRC and DST...


ASA-2-106001  Inbound TCP connection denied from 192.168.27.11/1178  to  192.168.4.160/21  flags SYN on interface  EXT-FTP

abatson Wed, 12/18/2013 - 13:15
User Badges:

Can someone say whether these two statements are to blame?  Which one wins out?


nat (EXT-FTP) 0 access-list FTP-no-nat

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255


Jon Marshall Wed, 12/18/2013 - 13:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

In answer to your specific question the first one wins out which is what you want ie. from the 82. config guide -


The ASA matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the ASA.

So your NAT exemption is the first in the list so it should be working.


I can't see anything wrong with your config. Do the hosts in the EXT-FTP subnet need to talk to any other subnets other than outside ?  I ask because a quick test may be to remove the acl and retest. The VPN is accessible via the outside interface so traffic will be allowed without an acl for that but obviously not to any interface with a higher security level.


Jon

abatson Thu, 12/19/2013 - 06:00
User Badges:

@jon.marshal -- the EXT-FTP hosts need to talk to the "inside" and 'LEO-GEO_LUT' segments.  I was thinking of removing the ACL protecting the EXT-FTP subnet & test...   Another posting on another site said that I need to use the 'same-security-traffic' commands as a work-around, because there's a bug withi 8.3 that might also be affecting my 8.2(1)  OS, in not allowing this traffic to move.   So maybe we're looking at, "the config is fine & this SHOULD work...."  --but there's a bug that requires a work-around. 

Jon Marshall Thu, 12/19/2013 - 06:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

So maybe we're looking at, "the config is fine & this SHOULD work...."  --but there's a bug that requires a work-around. 

It could well be. Your config looks spot on to me and i can't see why it wouldn't work. It definitely isn't the NAT statements, i think the EX-FTP is just dropping the traffic for some reason even though you have a permit ip any any in your acl.


Jon

abatson Thu, 12/19/2013 - 06:37
User Badges:

I just tried the following two commands, w/o beneficial impact.  Still get the error.


same-security-traffic permit inter-interface


same-security-traffic permit intra-interface


I bounced the IPSEC tunnel & still get the error.  I'm running 8.2(1) code.  The remote side is running 8.4(4)1   The remote side can reach *in* toward me thru the tunnel, but I can't reach out:


SRC: 192.168.4.160

DST:  192.168.27.11............works fine


SRC: 192.168.27.11

DST:  192.168.4.160............denied.


BTW -- found out day-before-yesterday, that this ASA has no paid SmartNet contract.   Yay.   Grassroots support for me...

abatson Thu, 12/19/2013 - 08:33
User Badges:

Here's the packet-tracer debug output.  It indicates an ACL-drop, but how/why/where?



DASS-VPN# $ tcp 192.168.27.11 1024 192.168.4.160 ftp detail

DASS-VPN# packet-tracer input EXT-FTP tcp 192.168.27.11 1024 192.168.4.160 ftp$


Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc97893c0, priority=1, domain=permit, deny=false

        hits=1748609, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000


Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside


Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group EXT-FTP-in in interface EXT-FTP

access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp

access-list EXT-FTP-in remark allows traffic out of EXT-FTP network

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca374b68, priority=12, domain=permit, deny=false

        hits=292, user_data=0xc78e3af0, cs_id=0x0, flags=0x0, protocol=6

        src ip=192.168.27.11, mask=255.255.255.255, port=0

        dst ip=192.168.4.160, mask=255.255.255.255, port=21, dscp=0x0


Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc978bbd0, priority=0, domain=permit-ip-option, deny=true

        hits=61409, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca101648, priority=70, domain=inspect-ftp, deny=false

        hits=623, user_data=0xca1001d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0


Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip EXT-FTP 192.168.27.0 255.255.255.0 outside host 192.168.4.160

    NAT exempt

    translate_hits = 589, untranslate_hits = 5

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca355a68, priority=6, domain=nat-exempt, deny=false

        hits=589, user_data=0xca3559a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.27.0, mask=255.255.255.0, port=0

        dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0


Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

  match ip EXT-FTP host 192.168.27.11 outside any

    static translation to 123.123.188.40

    translate_hits = 4341, untranslate_hits = 101896

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca373470, priority=5, domain=nat, deny=false

        hits=6664, user_data=0xca34e4e0, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.27.11, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

  match ip EXT-FTP host 192.168.27.11 outside any

    static translation to 123.123.188.40

    translate_hits = 4341, untranslate_hits = 101896

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca107068, priority=5, domain=host, deny=false

        hits=63395, user_data=0xca34e4e0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.27.11, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca345cf0, priority=0, domain=host-limit, deny=false

        hits=6824, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xca2a0f88, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0xb27af5c, cs_id=0xc9677ef0, reverse, flags=0x0, protocol=0

        src ip=192.168.27.11, mask=255.255.255.255, port=0

        dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0


Phase: 12

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xc96b8a10, priority=69, domain=ipsec-user, deny=true

        hits=2, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.27.11, mask=255.255.255.255, port=0

        dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0


Result:

input-interface: EXT-FTP

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jon Marshall Thu, 12/19/2013 - 10:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you post config for the remote side ?


Jon

abatson Thu, 12/19/2013 - 10:18
User Badges:

The remote-side config is controled by another company, and they won't be sharing any of their config unfortunatly, BUT:


I removed the line indicated below, and it works now.  –I put it back in, and it breaks…..   I got desperate, and put the flow into “Remote_vpn_filter” in both directions, in case I had it wrong.. and that still didn’t fix it.    I don’t know WHY this fixed it but it did….



group-policy RemotePolicy internal

group-policy RemotePolicy attributes

vpn-filter value Remote_vpn_filter <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

vpn-tunnel-protocol IPSec



ACL is:

access-list Remote_vpn_filter line 1 extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp (hitcnt=1) 0x5b469ada

access-list Remote_vpn_filter line 2 extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp (hitcnt=5) 0xcb381146

access-list Remote_vpn_filter line 3 extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp (hitcnt=0) 0xbf735660

access-list usmcc_vpn_filter line 4 extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp (hitcnt=0) 0x14cdd13d

Jon Marshall Thu, 12/19/2013 - 10:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

access-list Remote_vpn_filter line 1 extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp (hitcnt=1) 0x5b469ada

access-list Remote_vpn_filter line 2 extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp (hitcnt=5) 0xcb381146

access-list Remote_vpn_filter line 3 extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp (hitcnt=0) 0xbf735660

access-list usmcc_vpn_filter line 4 extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp (hitcnt=0) 0x14cdd13d

Is that lst line a typo ie. it references a completely different acl.


Jon

abatson Thu, 12/19/2013 - 10:30
User Badges:

Oops.. you caught me...   'usmcc_vpn_filter' is the actual un-cleansed name.    For sake of consistancy, all the ACL lines in the above comment should read, "Remote_vpn_filter".

Jon Marshall Thu, 12/19/2013 - 10:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

edited      

Jon Marshall Thu, 12/19/2013 - 10:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Have a read of this thread -


https://supportforums.cisco.com/thread/2074626


It seems as though you should be able to use a vpn filter at just one end with the correct config ie.


access-list remote permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp

access-list remote permit tcp host 192.168.4.160 eq ftp host 192.168.27.11 


but that thread seems to be suggesting you need to configure both peers with equivalent vpn filters. So the above doesn't work.


Interestingly the vpn filter was originally only used for remote access vpns. So they may not be the best solution ie. see the last post in the thread above.


Jon    

Actions

This Discussion

Related Content