06-10-2010 03:22 AM
Hi all,
I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505. I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through. Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.
REMOTE Network is 192.168.72.0
: Saved
: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010
!
ASA Version 8.0(5)
!
hostname Casa
domain-name uk
enable password VgZT0UwPdkSV9l7N encrypted
passwd zlo5ImUVRkHl4lcl encrypted
names
name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance
name 192.168.3.12 tney description tney
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.123 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.103.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name uk
object-group network ExternalAccess
description Hosts allowed direct web access
network-object SVR-01 255.255.255.255
network-object SVR-GIS 255.255.255.255
network-object host Tntu
network-object host tney
object-group network ExternalAccessFromDMZ
description Hosts allowed direct web access from DMZ
network-object CITRIX-Appliance 255.255.255.255
network-object IRONPORT1 255.255.255.255
network-object worker 255.255.255.255
object-group service MitelUDPinternet udp
description Mitel UDP services needed from internet
port-object range 20000 27000
port-object eq sip
port-object eq 5064
object-group service MitelTCPinternet tcp
description Mitel TCP services needed from internet
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 3998
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 6800
port-object eq 3478
port-object eq sip
port-object eq ssh
object-group service MitelTCPinternetOpt tcp
description Mitel TCP optional services from internet
port-object eq 3300
port-object range 6806 6807
port-object range 36005 36005
port-object range 36005 36006
port-object eq 3478
port-object eq sip
object-group service MitelUDP2LAN udp
description Mitel UDP services needed to LAN
port-object range 1024 65535
port-object eq sip
object-group service MitelTCP2LAN tcp
description Mitel TCP services needed to LAN
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 1606
port-object eq 4443
port-object eq 3998
port-object eq 3999
port-object range 6801 6802
port-object eq 6880
port-object eq www
port-object eq https
port-object eq 3478
port-object eq sip
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any source-quench
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https
access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https
access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp
access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet
access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet
access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt
access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh
access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp
access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive
access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any
access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain
access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268
access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain
access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH
access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any
access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive
access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive
access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp
access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN
access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN
access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any
access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1
access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any
access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any
access-list any extended permit ip any any
access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any
access-list dmz_pnat1_outbound extended permit ip host Teleworker any
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail notifications
logging from-address uk
logging recipient-address ito@AGH.uk level critical
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo dmz
icmp permit any dmz
asdm image disk0:/asdm-625-53.bin
asdm location SVR-01 255.255.255.255 inside
asdm location svr-02 255.255.255.255 inside
asdm location IRONPORT1 255.255.255.255 dmz
asdm location 194.81.55.226 255.255.255.255 dmz
asdm location Server 255.255.255.255 inside
asdm location CITRIX-Appliance 255.255.255.255 dmz
asdm group ExternalAccess inside
asdm group ExternalAccessFromDMZ dmz
no asdm history enable
arp timeout 14400
global (outside) 2 x.x.x.121
global (outside) 1 x.x.x.125
global (outside) 3 Mail_Outside_AVON
global (outside) 4 Mail_Outside_AGH
global (outside) 5 teleworker_outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list inside_pnat_outbound_AVON
nat (inside) 3 access-list inside_nat_AVON_Marshall
nat (inside) 1 access-list inside_pnat_outbound
nat (dmz) 0 access-list dmz_nat0_inbound outside
nat (dmz) 4 access-list dmz_pnat_outbound
nat (dmz) 5 access-list dmz_pnat1_outbound
static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255
static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255
static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255
static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255
static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255
static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255
static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 X.X.X.254 1
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http oner 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer r.r.r.244
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh Mail_Inside_AGH 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server SVR-DC1 source inside prefer
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.x.x 192.168.x.x
dns-server value 192.168.x.x 192.168.x.x
ipsec-udp enable
default-domain value ACE
username VPN password pmmPwcDD/inpnNfB encrypted privilege 0
username VPN attributes
vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpnpool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key ******
tunnel-group r.r.r.244 type ipsec-l2l
tunnel-group r.r.r.244 ipsec-attributes
pre-shared-key ****
tunnel-group-map default-group r.r.r.244
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8360816431357f109b3c4b950d545c86
: end
Solved! Go to Solution.
06-10-2010 09:23 AM
06-10-2010 10:01 AM
The result clearly states that the ACL is blocking the traffic.
Could you do this:
access-list inside permit ip any any
access-group inside in interface inside
Actually the above lines is exactly as not having an ACL at all on the inside interface, but since we're having this problem, I'll suggest adding the rule and doing the Packet Tracer test again please.
Federico.
06-11-2010 02:29 AM
Hi Federico,
Sorry it took so long to get back to you, i had tried this already however i have tried this again and the same thing happening
2 | Jun 11 2010 | 10:21:34 | 106001 | D_Toner | 49726 | 192.168.72.10 | 3389 | Inbound TCP connection denied from D_Toner/49726 to 192.168.72.10/3389 flags SYN on interface inside |
i am at a complete loss with this, any other suggestions.
Thanks,
Con
06-11-2010 07:30 AM
this route overlaps with the remote network
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
I suggest either making this more specific subnet or adding something like
route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip
Otheriwse, if above does not help, do packet tracer to simulate the same traffic that is failing on the 5510.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Regards,
06-15-2010 02:26 AM
I am sorry but i am not really sure
what you mean by this. Can you break it down
a bit as to what you think i should try.
Thanks
06-15-2010 05:09 AM
On firewall "hostname casa" you have route
route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
You match address for the crypto map to encrypt is
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0
The remote network on "hostname asa" has the network 192.168.72.0 255.255.255.0
However, because of your route inside statement (on hostname casa) , you are saying the network 192.168.72.0 is on the inside.
To correct this, you can add the following on hostname casa firewall
route outside 192.168.72.0 255.255.255.0 X.X.X.254
Point it to the outside, so the traffic will be sent to the outside interface, and then be hitting the crypto process and sent to the peer.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: