06-10-2010 03:22 AM
Hi all,
I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505. I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through. Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.
REMOTE Network is 192.168.72.0
: Saved
: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010
!
ASA Version 8.0(5)
!
hostname Casa
domain-name uk
enable password VgZT0UwPdkSV9l7N encrypted
passwd zlo5ImUVRkHl4lcl encrypted
names
name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance
name 192.168.3.12 tney description tney
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.123 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.103.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name uk
object-group network ExternalAccess
description Hosts allowed direct web access
network-object SVR-01 255.255.255.255
network-object SVR-GIS 255.255.255.255
network-object host Tntu
network-object host tney
object-group network ExternalAccessFromDMZ
description Hosts allowed direct web access from DMZ
network-object CITRIX-Appliance 255.255.255.255
network-object IRONPORT1 255.255.255.255
network-object worker 255.255.255.255
object-group service MitelUDPinternet udp
description Mitel UDP services needed from internet
port-object range 20000 27000
port-object eq sip
port-object eq 5064
object-group service MitelTCPinternet tcp
description Mitel TCP services needed from internet
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 3998
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 6800
port-object eq 3478
port-object eq sip
port-object eq ssh
object-group service MitelTCPinternetOpt tcp
description Mitel TCP optional services from internet
port-object eq 3300
port-object range 6806 6807
port-object range 36005 36005
port-object range 36005 36006
port-object eq 3478
port-object eq sip
object-group service MitelUDP2LAN udp
description Mitel UDP services needed to LAN
port-object range 1024 65535
port-object eq sip
object-group service MitelTCP2LAN tcp
description Mitel TCP services needed to LAN
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 1606
port-object eq 4443
port-object eq 3998
port-object eq 3999
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 3478
port-object eq sip
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any source-quench
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https
access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet
access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive
access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any
access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain
access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any
access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive
access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive
access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp
access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN
access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN
access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any
access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1
access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any
access-list any extended permit ip any any
access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any
access-list dmz_pnat1_outbound extended permit ip host Teleworker any
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail notifications
logging from-address uk
logging recipient-address ito@AGH.uk level critical
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo dmz
icmp permit any dmz
asdm image disk0:/asdm-625-53.bin
asdm location SVR-01 255.255.255.255 inside
asdm location svr-02 255.255.255.255 inside
asdm location IRONPORT1 255.255.255.255 dmz
asdm location 194.81.55.226 255.255.255.255 dmz
asdm location Server 255.255.255.255 inside
asdm location CITRIX-Appliance 255.255.255.255 dmz
asdm group ExternalAccess inside
asdm group ExternalAccessFromDMZ dmz
no asdm history enable
arp timeout 14400
global (outside) 2 x.x.x.121
global (outside) 1 x.x.x.125
global (outside) 3 Mail_Outside_AVON
global (outside) 4 Mail_Outside_AGH
global (outside) 5 teleworker_outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list inside_pnat_outbound_AVON
nat (inside) 3 access-list inside_nat_AVON_Marshall
nat (inside) 1 access-list inside_pnat_outbound
nat (dmz) 0 access-list dmz_nat0_inbound outside
nat (dmz) 4 access-list dmz_pnat_outbound
nat (dmz) 5 access-list dmz_pnat1_outbound
static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255
static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255
static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255
static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255
static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255
static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 X.X.X.254 1
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http oner 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer r.r.r.244
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh Mail_Inside_AGH 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server SVR-DC1 source inside prefer
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.x.x 192.168.x.x
dns-server value 192.168.x.x 192.168.x.x
ipsec-udp enable
default-domain value ACE
username VPN password pmmPwcDD/inpnNfB encrypted privilege 0
username VPN attributes
vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpnpool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key ******
tunnel-group r.r.r.244 type ipsec-l2l
tunnel-group r.r.r.244 ipsec-attributes
pre-shared-key ****
tunnel-group-map default-group r.r.r.244
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8360816431357f109b3c4b950d545c86
: end
Solved! Go to Solution.
06-11-2010 07:30 AM
this route overlaps with the remote network
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
I suggest either making this more specific subnet or adding something like
route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip
Otheriwse, if above does not help, do packet tracer to simulate the same traffic that is failing on the 5510.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Regards,
06-10-2010 06:36 AM
Hi Conleth,
From the corporate side test if you can PING the remote's inside IP.
To do that, you need the following command on both ASAs: ''management-access inside''
Then, from the corporate ASA ''ping inside x.x.x.x'' --> x.x.x.x is the IP of the inside interface of the remote ASA
If it works, let us know the IP source and destination of the connection that does not work.
Federico.
06-10-2010 06:49 AM
Hi Federico,
Thanks for the reply, i have tried this and it doesn't work either way the corporate network 192.168.3.0 and the remote 192.168.72.0.
however i can access everything on the corporate network from the remote network
Conleth
06-10-2010 07:04 AM
Conleth,
You're saying that you cannot access the remote network from the corporate network.
So, you cannot access 192.168.72.x from 192.168.3.x
What happen if you clear the tunnel and try to initiated from the corporate side?
Does the tunnel comes up?
Check the ''sh cry ips sa '' to see if you get packets encrypted/decrypted.
Also, sometimes people configure a VPN endpoint to be either ''originate-only'' or ''answer-only'' instead than bidirectional.
Make sure the remote site is not set to ''originate-only''
Federico.
06-10-2010 07:25 AM
The corporate firewall seems to drop any packets for the 192.168.72.0 network when viewing the logs. Both sides are set to bidirectional,
sh cry ips sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.123
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.31.1.1/255.255.255.255/0/0)
current_peer: x.x.x.x, username: VPN
dynamic allocated peer ip: 172.31.1.1
#pkts encaps: 6034, #pkts encrypt: 6034, #pkts digest: 6034
#pkts decaps: 8704, #pkts decrypt: 8704, #pkts verify: 8704
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6034, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.123/10000, remote crypto endpt.: x.x.x.x/54669
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: ECB54178
current inbound spi : CB9F8476
inbound esp sas:
spi: 0xCB9F8476 (3416228982)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 24248
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xECB54178 (3971301752)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 24248
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.123
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
current_peer: r.r.r.244
#pkts encaps: 3449, #pkts encrypt: 3449, #pkts digest: 3449
#pkts decaps: 3727, #pkts decrypt: 3727, #pkts verify: 3727
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3449, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.123, remote crypto endpt.: x.x.x.244
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F26A6B87
current inbound spi : 762F116C
inbound esp sas:
spi: 0x762F116C (1982796140)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914502/9800)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF26A6B87 (4067060615)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914031/9799)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa#
Thanks,
Conleth
06-10-2010 07:39 AM
Conleth,
If you look at this:
##########################################################
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.72.0/255.255.255.0/0/0)
current_peer: r.r.r.244
#pkts encaps: 3449, #pkts encrypt: 3449, #pkts digest: 3449
#pkts decaps: 3727, #pkts decrypt: 3727, #pkts verify: 3727
##########################################################
It shows the ASA is receiving (decrypting) and sending (encrypting) traffic to 192.168.72.x
You said that from the corporate network, you cannot PING the inside IP of the remote VPN endpoint?
Do you have the configuration that you can post?
Federico.
06-10-2010 07:51 AM
Hi Federico
Here is the config for the remote site,
This is what i see on the corporate firewall when i try a remote desktop connection to 192.168.72.10
2 | Jun 10 2010 | 15:50:40 | 106001 | D_Toner | 58309 | 192.168.72.10 | 3389 | Inbound TCP connection denied from D_Toner/58309 to 192.168.72.10/3389 flags SYN on interface inside |
: Saved
: Written by enable_15 at 14:43:47.640 UTC Thu Jun 10 2010
!
ASA Version 8.2(1)
!
hostname asa
domain-name uk
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.72.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.244 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name uk
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.72.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.5 255.255.255.255 inside
http 192.168.72.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer X.X.X.123
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.72.5-192.168.72.36 inside
dhcpd dns 192.168.3.251 212.108.88.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.3.252 source inside prefer
webvpn
tunnel-group X.X.X.123 type ipsec-l2l
tunnel-group X.X.X.123 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect netbios
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:0433906825b992790dea0664553c1a03
: end
06-10-2010 08:01 AM
Ok thank you.
What is the IP for this host D_Toner?
Federico.
06-10-2010 08:05 AM
it is 192.168.3.69
06-10-2010 08:19 AM
You're getting this message on the corporate ASA 5510??
Inbound TCP connection denied from D_Toner/58309
to 192.168.72.10/3389 flags SYN on interface inside
The above message is saying that the ASA is denying this TCP connection on its inside
interface when it comes from 192.168.3.69 on port 58309 when going to 192.168.72.10 on port 3389
Is because I don't see an ACL applied to the inside interface of the 5510.
Could you verify this with ''sh run access-group''
Federico.
06-10-2010 08:28 AM
Thanks,
this is what i get
asa# sh run access-group
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
asa#
06-10-2010 08:39 AM
Can you confirm that this error:
Inbound TCP connection denied from D_Toner/58309
to 192.168.72.10/3389 flags SYN on interface inside
You're seeing it on the corporate ASA 5510 and not on the remote?
Federico.
06-10-2010 08:45 AM
Yes i recieve this on the corporate firewall, from the remote site i can access the corporate network with no problems at all, i can remote desktop, do domain lookup and browse network drives.
06-10-2010 09:06 AM
Ok, it is strange indeed.
Can you do a test?
The corporate ASA is telling us that it's not going to allow a TCP SYN connection from 192.168.3.69 to
192.168.72.70 on those ports.
There is no ACL applied to the inside interface as we checked.
So, using Packet-Tracer you can simulate the connection and have the ASA tell you which process is preventing
this connection from establishing.
The Packet Tracer test should let us know why the ASA is denying the connection even though there's no rule
blocking it.
Federico.
06-10-2010 09:19 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: