Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Issue with Crypto Access-List

Hello All,

I am facing weired problem with one of our VPN tunnel. We have around 10 tunnels configured in our ASA 5520. Specific hosts are allowed in interesting traffic from both the end and are able to ping each other. But unable to telnet on some specific ports TCP/3389, TCP/53, TCP/389, TCP/445 etc. I have tried by giving IP access to crypto access-list but had no luck.

Issue got resolved after applying normal port based access-list on inside interface, which means access is working through normal access-list instead of crypto access-list. Wherein for other tunnels we have not applied any access-list on inside interface but still they are working fine.

What could be the issue? Are these ports require special access? Our OS version is 8.3(2) in which we do not required NAT 0 command for VPN tunnel.


Quick turnaround will be much appriciated.

Thanks in advance.

Amit.

Everyone's tags (2)
3 REPLIES
New Member

Re: Issue with Crypto Access-List

Hello, Amit.

Seems need add inspection trafic for

TCP/3389, TCP/53, TCP/389, TCP/445.

ASA(config)#policy-map global_policy

ASA(config-pmap)#class inspection_default

ASA(config-pmap-c)#inspect dns

ASA(config-pmap-c)#inspect ils

...

THT

New Member

Issue with Crypto Access-List

Shone,

Thanks for your reply. I have tried by enabling ils (tcp/389) port but still unable to telnet after removing access-list on inside interface. Also is there any way i can modify default globlal_policy?

Regards,

Amit.

New Member

Re: Issue with Crypto Access-List

Hi, Amit.

For inspecting your trafic, in global_policy follow this template:

class-map MYPORT

     match port tcp eq

policy-map global_policy

     class MYPORT

     inspect MYPORT

p.s.

policy-map global_policy must already exist and "service-policy global_policy global" command present in config.

HTH

550
Views
0
Helpful
3
Replies
CreatePlease to create content