Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec access rule - remove entry leads to deny

We have an IPSec L2L Tunnel with an Access Rule. At First we had entries with host/port based permits but we switched to permit the whole network and make the Access Control on the Outgoing Interface of the Source Network. When we remove those host/port based entries, these Connections won´t work any more. Everything else does. Also the packet-tracer says everything works fine and i can see the TX Packet counter of the Tunnel Connection rising, but the Packages never arrive at the other Side.

 

So, actually it works with the Config postet below, but we want to get rid of this 3 host/port based entries, especially they are covered by the network based entry. But if we remove them, the Packages are going somewhere.

Does anyone have an Idea where this strange behaviour comes from?

 

Crypto Map:

crypto map outside_if 15 match address IPsec
crypto map outside_if 15 set pfs group5
crypto map outside_if 15 set peer IPsec.peer
crypto map outside_if 15 set transform-set AES256-SHA
crypto map outside_if 15 set security-association lifetime seconds 3600
crypto map outside_if interface outside_sdsl

Access Rule:

Host/Port Based

access-list IPsec line 1 extended permit object-group FTP object-group INTEGRATION-ADMIN-SERVER object-group DMS02-SERVER
access-list IPsec line 1 extended permit tcp host 10.0.3.210 host 10.10.237.20 eq ftp (hitcnt=46)
access-list IPsec line 1 extended permit tcp host 10.0.3.211 host 10.10.237.20 eq ftp (hitcnt=0)
access-list IPsec line 1 extended permit tcp host 10.0.3.210 host 10.10.237.20 eq ftp-data (hitcnt=0)
access-list IPsec line 1 extended permit tcp host 10.0.3.211 host 10.10.237.20 eq ftp-data (hitcnt=0)
access-list IPsec line 2 extended permit object-group ACTIVEMQ object-group INTEGRATION-ADMIN-SERVER object-group DMS02-SERVER
access-list IPsec line 2 extended permit tcp host 10.0.3.210 host 10.10.237.20 eq 61616 (hitcnt=146)
access-list IPsec line 2 extended permit tcp host 10.0.3.211 host 10.10.237.20 eq 61616 (hitcnt=0)
access-list IPsec line 3 extended permit object-group ORACLE object-group INTEGRATION-ADMIN-SERVER object-group EASYNET-DB01-SERVER
access-list IPsec line 3 extended permit tcp host 10.0.3.210 host 10.10.238.30 eq sqlnet (hitcnt=0)
access-list IPsec line 3 extended permit tcp host 10.0.3.211 host 10.10.238.30 eq sqlnet (hitcnt=0)

Network Based
access-list IPsec line 4 extended permit ip 10.0.1.0 255.255.255.0 object-group IPSEC-NETWORKS
access-list IPsec line 4 extended permit ip 10.0.1.0 255.255.255.0 10.10.236.0 255.255.254.0 (hitcnt=145)
access-list IPsec line 4 extended permit ip 10.0.1.0 255.255.255.0 10.10.238.0 255.255.255.0 (hitcnt=0)
access-list IPsec line 5 extended permit ip 10.0.2.0 255.255.255.0 object-group IPSEC-NETWORKS
access-list IPsec line 5 extended permit ip 10.0.2.0 255.255.255.0 10.10.236.0 255.255.254.0 (hitcnt=17)
access-list IPsec line 5 extended permit ip 10.0.2.0 255.255.255.0 10.10.238.0 255.255.255.0 (hitcnt=0)
access-list IPsec line 6 extended permit ip 10.0.3.0 255.255.255.0 object-group IPSEC-NETWORKS
access-list IPsec line 6 extended permit ip 10.0.3.0 255.255.255.0 10.10.236.0 255.255.254.0 (hitcnt=39)
access-list IPsec line 6 extended permit ip 10.0.3.0 255.255.255.0 10.10.238.0 255.255.255.0 (hitcnt=0)

Packet-Tracer:

fw1# packet-tracer input srv_idstg tcp 10.0.3.210 12344  10.10.237.20 61616

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.0.0       255.255.0.0     outside_sdsl

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group server_idstg_access_in in interface srv_idstg
access-list server_idstg_access_in extended permit object-group ACTIVEMQ object-group INTEGRATION-ADMIN-SERVER object-group DMS02-SERVER
access-list server_idstg_access_in remark Allow Admin Server access to FTP on dms02-Server
object-group service ACTIVEMQ
 service-object tcp eq 61616
object-group network INTEGRATION-ADMIN-SERVER
 network-object host 10.0.3.210
 network-object host 10.0.3.211
object-group network DMS02-SERVER
 network-object host 10.10.237.20
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (srv_idstg) 0 access-list 101
  match ip srv_idstg any outside_sdsl 10.10.236.0 255.255.254.0
    NAT exempt
    translate_hits = 4600, untranslate_hits = 18
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (srv_idstg) 1 10.0.3.0 255.255.255.0
  match ip srv_idstg 10.0.3.0 255.255.255.0 outside_sdsl any
    dynamic translation to pool 1 (62.245.144.146 [Interface PAT])
    translate_hits = 45, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (srv_idstg) 1 10.0.3.0 255.255.255.0
  match ip srv_idstg 10.0.3.0 255.255.255.0 inside_guest any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4482375, packet dispatched to next module

Result:
input-interface: srv_idstg
input-status: up
input-line-status: up
output-interface: outside_sdsl
output-status: up
output-line-status: up
Action: allow

System Information:

Cisco ASA 5510

Cisco Adaptive Security Appliance Software Version 8.0(3)

 

2 REPLIES
New Member

resolved by Firmware Upgrade

resolved by Firmware Upgrade

Hall of Fame Super Silver

Thanks for the update. It is

Thanks for the update. It is interesting that this problem turned out to be something in that version of software.

HTH

Rick

513
Views
0
Helpful
2
Replies