Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 pinhole to device between site to site VPN.

How do you open up a pinhole using port 3001 to devices with a site-to-site VPN?

33 REPLIES

Re: ASA 5505 pinhole to device between site to site VPN.

Expand on your question please?

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

I have a site-to-site VPN. I have a device in one location and the software in the other in which they need in to interchange on port 3001. I haven't been able to figure out how to get both the device and software to communicate.

Re: ASA 5505 pinhole to device between site to site VPN.

OK - with that in mind, can you answer:-

1) From thje remote end, can you ping the "device"?

2) From a computer that is running the software can it ping the "device" ?

3) Can the "device" ping the remote computer trying to access the software?

4) Do you control both ends of the VPN tunnel?

5) Are you blocking traffic at one end or both ends?

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

1) I can ping the device on the inside of one end but not the other.

2) I can't ping the device across the tunnel at all.

3) I can control both ends of the tunnel.

Re: ASA 5505 pinhole to device between site to site VPN.

Basic connectivity is your first issue - post both end's config for review, remove sensitive information.

Cisco Employee

Re: ASA 5505 pinhole to device between site to site VPN.

You mean you want hosts in site1 to be able to talk to hosts in site2 on port 3001 through the site2site VPN?

In that case you need to make sure that this port is include in the crypto-map ACL of course so it goes encrypted and also if you have ACLs blocking that port on the inside of the sites open those up.

I hope it helps.

PK

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

That helps but I'm new at this can you explain on how to setup those actions.

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

If you would like a copy of the running configs I can provide one.

Re: ASA 5505 pinhole to device between site to site VPN.

Yes please

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_nat0_outbound remark For remote access clients

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 65.82.224.50 host MorganCityPublic

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 EBA_Inside 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list MUVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list SNC_splitTunnelAcl standard permit any

access-list outside_nat0_outbound_3 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound

One Side:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.224.50 255.255.255.248

extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Local_LAN_Access standard permit host 0.0.0.0

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

Second Side:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 65.82.227.138 255.255.255.248

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.2.0 192.168.7.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.4.5.0 255.255.255.224

access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.255.0 EBA_Internal 255.255.255.0

access-list outside_6_cryptomap extended permit ip host 192.168.2.60 192.168.7.0 255.255.255.0

access-list outside_cryptomap_6 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list outside_cryptomap_4 extended permit ip host 192.168.2.60 host 192.168.11.1

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_access_in_1 extended permit ip any any

access-list inside_access_in_1 extended permit icmp any any

access-list Mobile_splitTunnelAcl standard permit any

access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

Re: ASA 5505 pinhole to device between site to site VPN.

can you post the

crypto config

nat config

and can you put them in text files - much eaiser to read.

Now what IP is the "device" and what IP is the computer trying to access the device?

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

The "device" IP is 192.168.2.20 and the computer IP is 192.168.1.5

Re: ASA 5505 pinhole to device between site to site VPN.

i believe your configs looks fine. you are permiting IP on the tunnel so that should take care of your interesting traffic on the tunnel. can you ping the hosts from the pixs?

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

I can only ping the devices from the ASA side not across the tunnel.

Re: ASA 5505 pinhole to device between site to site VPN.

can you do "show crypto ipsec sa" on both pix and upload the output.

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

can do

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

here are the results.

Re: ASA 5505 pinhole to device between site to site VPN.

You have no ipsec session from side 2 to side 1

clear the crypto session in side 1

clear crypto ipsec sa peer 65.82.227.138

Then try and ping from side2 to side 1

Re: ASA 5505 pinhole to device between site to site VPN.

tunnel from ciscoasa to ciscoasa2 is up.. tunnel is built. see below...

Crypto map tag: outside_map, seq num: 2, local addr: 65.82.224.50

access-list outside_2_cryptomap permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (Thibodaux-inside/255.255.255.0/0/0)

current_peer: 65.82.227.138

#pkts encaps: 70966519, #pkts encrypt: 70970711, #pkts digest: 70970711

#pkts decaps: 58306128, #pkts decrypt: 58306128, #pkts verify: 58306128

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 70966519, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 4192, #pre-frag failures: 0, #fragments created: 8384

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 13619

#send errors: 0, #recv errors: 0

local crypto endpt.: 65.82.224.50, remote crypto endpt.: 65.82.227.138

do you have output from ciscoasa2 to ciscoasa. cant see it! unless i am going blind!!!

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

they were in two different notepads.

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

Sorry here is the one for the other ASA. However I'm not having the trouble with this one.

Re: ASA 5505 pinhole to device between site to site VPN.

OK. I am confused. I thought the ipsec problem is between 65.82.227.138 (ciscoasa2) and 65.82.224.50 (ciscoasa). is that not so?

Re: ASA 5505 pinhole to device between site to site VPN.

which device is 74.165.244.10?

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

there are three ASAs all with site-to-site VPN tunnels. the IPsec tunnel is between the 65.x.x.x. the 74.x.x.x is the one in which i need to get the pin holes put in.

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

morgan city inside (192.168.3.1)

Re: ASA 5505 pinhole to device between site to site VPN.

earlier you mentioned the problem is communication between 192.168.2.0 and 192.168.1.0 subnet on port 3001 over the ipsec tunnel between 65.82.224.50 - > 65.85.227.138!!

kevin, for clarity please explain what extactly is the problem.

thanks

francisco

New Member

Re: ASA 5505 pinhole to device between site to site VPN.

I'm sorry Francisco the problem lies between subnets 192.168.3.0/24 & 192.168.1.0/24 on port 3001.

Re: ASA 5505 pinhole to device between site to site VPN.

your tunnel is up. can you ping inside interfaces from both firewalls through the tunnel. for eaxmple ping 192.168.1.1 (select outside interface)

Crypto map tag: outside_map, seq num: 1, local addr: 65.82.224.50

access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (MorganCity-inside/255.255.255.0/0/0)

current_peer: MorganCityPublic

#pkts encaps: 22361951, #pkts encrypt: 22361955, #pkts digest: 22361955

#pkts decaps: 17685532, #pkts decrypt: 17685532, #pkts verify: 17685532

Crypto map tag: outside_map, seq num: 1, local addr: 74.165.244.10

access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 65.82.224.50

#pkts encaps: 5499955, #pkts encrypt: 5499955, #pkts digest: 5499955

#pkts decaps: 6493468, #pkts decrypt: 6493468, #pkts verify: 6493468

#pkts compressed: 0, #pkts decompressed: 0

Also

Can you do debug crypto ipsec and debug crypto engine and finally clear crypto ipsec sa.

after clearing crypto ipsec sa, if it doesnt work, send me debugs output

are your hosts sitting behind the ASAs conencted to a switch? can the ASA's ping your hosts?

450
Views
0
Helpful
33
Replies
CreatePlease login to create content