cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3900
Views
0
Helpful
16
Replies

L2L IPSec VPN blocks SQL (ASA v8.4)

simon.darby
Level 1
Level 1

Good evening all,

I have an ASA 5510 running 8.4(2) which has a site to site IPSec VPN to a 3rd party who run some form of Checkpoint.  The VPN establishes and allows access to a server in our DMZ on all ports that we have tested (so far HTTP, SSL, RDP, FTP) except for SQL which doesn't even seem to reach the server.  I've got Wireshark running on the DMZ server and if the 3rd party initiates a TCP conversation from their server on any of the working ports to the server I see all of the expected packets arrive with the correct IPs etc (no NAT takes place across the VPN) but when an ODBC client attempts to query the SQL server on our DMZ box the packets do not arrive at the server.  What I can see is the RX byte count on the VPN increasing each time the query is run but definitely no SQL arriving at the server.

Also if I revert the ASA back to the old PIX it has replaced with the same VPN config but on version 7.x then it works just fine.

Whilst I find some time to sanitise the config over the weekend I would appreciate any ideas.

Many thanks,

Simon.

1 Accepted Solution

Accepted Solutions

Hi Simon,

If you look at the sys options in the ASDM it advises that you still require acls for the traffic. As i understand it in the old days, once you were in as you highlighted. If you set the ports in that group then yes it's from an any and potentially your only protection is the NAT or lack of it.

I would add another ACE to the outside interface allowing the source to you DMZ host (see below)

Object-group service SQL-PORTS-GROUP tcp

Port-object eq 1433

Port-object eq 1434

Port-object eq 1521

access-list outside_access extended permit tcp host 192.168.100.30 object DMZ_158 object-group SQL-PORTS

Regards

View solution in original post

16 Replies 16

Jeff Van Houten
Level 5
Level 5

If the receive count is increasing but the packets aren't reaching the server, it must be the acls.

Sent from Cisco Technical Support iPad App

The ACL for the VPN is:

access-list outside_cryptomap extended permit ip host 172.26.1.158 192.168.100.0 255.255.255.0 

This matches the other end as well.  So as you can see all IP is allowed.

Thanks,

Simon.

ju_mobile
Level 1
Level 1

Check your global policy. I've seen similar issues and based on the actual application i had to enable a fix up. The weirdest one i had required the fixup for sunrpc to be enabled for the SQL queries to get through.

This is found under firewall>> service policy>>global policy

Sent from Cisco Technical Support iPad App

The Global Policy is as follows:

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

I've tried disabling the sqlnet inspect and turning it on again but no help.

Also as the traffic is going across the VPN should it not bypass the inspects?

Thanks for your help,

Simon.

ju_mobile
Level 1
Level 1

Hi Simon,

That ACL is for what's encrypted. What ACL do you have on the interface to all the traffic in. Do you have 1433-1434 and 1521 in that acl ?

Sent from Cisco Technical Support iPhone App

Yes that's right. All SQL is meant to be encrypted within the VPN tunnel. All other TCP types seem ok but the issue is only with SQL. All the data from the 192.168.100.0 network to the 172.26.1.0 network should be within the VPN.

Thanks

Simon.

Sent from my iPhone

ju_mobile
Level 1
Level 1

The crypto map encrypts based on the ip any between the defined nets/ hosts. If there is a matching acl that's an any or is the acl tied to specific ports?

I'd recommend running a check through the asdm packet tracer and or a capture to try and verify. An additional acl to permit ip any between those hosts and then review your capture once you can see its working.

Any options to sanitise your configuration and post ?

Sent from Cisco Technical Support iPhone App

Going to sanitise at some point this weekend in between duties as a father.

I'll get it up some point today hopefully!

ju_mobile
Level 1
Level 1

LMAO indeed I know that duty well.

Sent from Cisco Technical Support iPhone App

I had forgotten he had to do his homework! 

One sanitised full config as follows.  Well its clean enough.  The endpoints are X.X.X.155 (local to me)  Y.Y.Y.2 (Remote endpoint)  VPN is for access to DMZ server 172.26.1.158 from their server 192.168.100.30 and viec versa.

ASA Version 8.4(2)
!
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.155 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.50.96.254 255.255.252.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.26.1.1 255.255.255.0
!

interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name displayplan.net
same-security-traffic permit intra-interface
object network DMZ_33
host 172.26.1.33
description Web server
object network DMZ_158
host 172.26.1.158
object network NETWORK_OBJ_10.50.96.0_22
subnet 10.50.96.0 255.255.252.0
object network NETWORK_OBJ_192.168.192.0_25

subnet 192.168.192.0 255.255.255.128
object network 10.99.2.0_GERMANY
subnet 10.99.2.0 255.255.255.0
object network B&D_local
subnet 172.26.1.158 255.255.255.255
object network B&D_remote
subnet 192.168.100.0 255.255.255.0
object-group service DM_INLINE_TCP_0 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq 3389
access-list outside_access extended permit tcp any object DMZ_158 object-group DM_INLINE_TCP_0
access-list outside_access extended permit tcp any object DMZ_33 eq www
access-list !S2S_Group!_splitTunnelAcl standard permit 10.50.96.0 255.255.252.0
access-list SplitTunnelNetworks standard permit 10.99.2.0 255.255.255.0
access-list SplitTunnelNetworks standard permit 10.50.96.0 255.255.252.0
access-list outside_cryptomap extended permit ip host 172.26.1.158 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1452
mtu inside 1452
mtu dmz 1452
mtu management 1500

ip local pool VPN_IP_POOL 192.168.192.1-192.168.192.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (dmz,outside) source static B&D_local B&D_local destination static B&D_remote B&D_remote
nat (inside,outside) source static NETWORK_OBJ_10.50.96.0_22 NETWORK_OBJ_10.50.96.0_22 destination static NETWORK_OBJ_192.168.192.0_25 NETWORK_OBJ_192.168.192.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.50.96.0_22 NETWORK_OBJ_10.50.96.0_22 destination static 10.99.2.0_GERMANY 10.99.2.0_GERMANY no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.192.0_25 NETWORK_OBJ_192.168.192.0_25 no-proxy-arp route-lookup
!
object network DMZ_33
nat (dmz,outside) static X.X.X.157
object network DMZ_158
nat (dmz,outside) static X.X.X.158
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.2 255.255.255.255 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 dmz
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map MapOutsideDynamic 5 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map MapOutsideDynamic 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer Y.Y.Y.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-MD5
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set nat-t-disable

crypto map outside_map 60 ipsec-isakmp dynamic MapOutsideDynamic
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
proxy-ldc-issuer
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30

encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha

group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha

group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha

group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha

group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy !S2S_Group! internal
group-policy !S2S_Group! attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelNetworks
nem enable
group-policy GroupPolicy_Y.Y.Y.2 internal
group-policy GroupPolicy_Y.Y.Y.2 attributes
vpn-tunnel-protocol ikev1
username germanasa password encrypted privilege 0
username germanasa attributes
vpn-group-policy !S2S_Group!
username DPnVPN password encrypted privilege 0
username DPnVPN attributes
vpn-group-policy !S2S_Group!
username admin password encrypted privilege 15
tunnel-group !S2S_Group! type remote-access
tunnel-group !S2S_Group! general-attributes
default-group-policy !S2S_Group!
tunnel-group !S2S_Group! ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Y.Y.Y.2 type ipsec-l2l

tunnel-group Y.Y.Y.2 general-attributes
default-group-policy GroupPolicy_Y.Y.Y.2
tunnel-group Y.Y.Y.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp

: end

object-group service DM_INLINE_TCP_0 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq 3389

access-list outside_access extended permit tcp any object DMZ_158 object-group DM_INLINE_TCP_0

Your acl does not include SQL. Even though your encrypting you still need the acl on the outside interface.

I would add an additional line allowing the specific source on the outside for the ports I mentioned earlier.

Sent from Cisco Technical Support iPad App

OK thanks.  I'll give it a go on Mondya and see if it works.

Just one quick question though, in the old days if you stipulated that a VPN bypassed the ACLs you wouldn't need to add an ACL entry on the outside interface.  If I add SQL to that object group I will be allowing SQL to the DMZ server from the outside world would I not?

Thanks,

Simon.

Hi Simon,

If you look at the sys options in the ASDM it advises that you still require acls for the traffic. As i understand it in the old days, once you were in as you highlighted. If you set the ports in that group then yes it's from an any and potentially your only protection is the NAT or lack of it.

I would add another ACE to the outside interface allowing the source to you DMZ host (see below)

Object-group service SQL-PORTS-GROUP tcp

Port-object eq 1433

Port-object eq 1434

Port-object eq 1521

access-list outside_access extended permit tcp host 192.168.100.30 object DMZ_158 object-group SQL-PORTS

Regards

Thanks again.  I'll have a go Monday and implement the suggestion.  I'll let you know how it goes after that.

Thanks,

Simon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: