cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21926
Views
5
Helpful
20
Replies

Site to Site VPN one way traffic

condonnelly
Level 1
Level 1

Hi all,

I have set up a site to site Vpn and everything works fine from the remote site to the corporate site, however from the corporate site asa 5510 i can't get any access to the remote site asa 5505.  I have checked logging on the ASA and i can see the packets being dropped but i can't find what i need to do to allow this traffic through.  Below is most of my 5510 config i am sure it is something simple that i am missing but i just can't get it working please help.

REMOTE Network is 192.168.72.0

: Saved

: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

!

ASA Version 8.0(5)

!

hostname Casa

domain-name uk

enable password VgZT0UwPdkSV9l7N encrypted

passwd zlo5ImUVRkHl4lcl encrypted

names

name 192.168.103.14 CITRIX-Appliance description CITRIX-Appliance

name 192.168.3.12 tney description tney

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.123 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.103.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

boot system disk0:/asa707-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name uk

object-group network ExternalAccess

description Hosts allowed direct web access

network-object SVR-01 255.255.255.255

network-object SVR-GIS 255.255.255.255

network-object host Tntu

network-object host tney

object-group network ExternalAccessFromDMZ

description Hosts allowed direct web access from DMZ

network-object CITRIX-Appliance 255.255.255.255

network-object IRONPORT1 255.255.255.255

network-object worker 255.255.255.255

object-group service MitelUDPinternet udp

description Mitel UDP services needed from internet

port-object range 20000 27000

port-object eq sip

port-object eq 5064

object-group service MitelTCPinternet tcp

description Mitel TCP services needed from internet

port-object eq 2114

port-object eq 2116

port-object eq 35000

port-object eq 37000

port-object eq 3998

port-object range 6801 6802

port-object eq 6880

port-object eq www

port-object eq https

port-object eq 6800

port-object eq 3478

port-object eq sip

port-object eq ssh

object-group service MitelTCPinternetOpt tcp

description Mitel TCP optional services from internet

port-object eq 3300

port-object range 6806 6807

port-object range 36005 36005

port-object range 36005 36006

port-object eq 3478

port-object eq sip

object-group service MitelUDP2LAN udp

description Mitel UDP services needed to LAN

port-object range 1024 65535

port-object eq sip

object-group service MitelTCP2LAN tcp

description Mitel TCP services needed to LAN

port-object eq 2114

port-object eq 2116

port-object eq 35000

port-object eq 37000

port-object eq 1606

port-object eq 4443

port-object eq 3998

port-object eq 3999

port-object range 6801 6802

port-object eq 6880

port-object eq www

port-object eq https

port-object eq 3478

port-object eq sip

access-list acl_outside extended permit icmp any any echo-reply

access-list acl_outside extended permit icmp any any unreachable

access-list acl_outside extended permit icmp any any source-quench

access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq smtp

access-list acl_outside extended permit tcp any host Mail_Outside_AGH eq https

access-list acl_outside extended permit tcp any host x.x.x.123 eq ssh

access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh

access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8088

access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq https

access-list acl_outside extended permit tcp any host Citrix_Portal_outside eq 8081

access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq smtp

access-list acl_outside extended permit tcp any host Mail_Outside_AVON eq https

access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp

access-list acl_outside extended permit udp host x.x.x.x host Icritical_Outside eq snmp

access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternet

access-list acl_outside extended permit udp any host teleworker_outside object-group MitelUDPinternet

access-list acl_outside extended permit tcp any host teleworker_outside object-group MitelTCPinternetOpt

access-list acl_outside extended permit tcp host x.x.x.x host Icritical_Outside eq ssh

access-list acl_outside extended permit udp any host PAL-ESX-01 eq ntp

access-list acl_outside extended permit udp any host PAL-ESX-02 eq ntp

access-list acl_outside extended permit udp any host PAL-ESX-03 eq ntp

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.30.100.0 255.255.255.224 inactive

access-list inside_outbound_nat0_acl extended permit ip any 172.31.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.103.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

access-list inside_pnat_outbound extended permit ip object-group ExternalAccess any

access-list acl_dmz extended permit ip host IRONPORT1 host Mail_Inside_AGH

access-list acl_dmz extended permit udp host IRONPORT1 host pal-svr-22 eq domain

access-list acl_dmz extended permit tcp host IRONPORT1 host pal-svr-22 eq 3268

access-list acl_dmz extended permit udp host IRONPORT1 host ARM-SVR-01 eq domain

access-list acl_dmz extended permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

access-list acl_dmz extended permit udp host IRONPORT1 host Pal-Svr-17 eq domain

access-list acl_dmz extended permit icmp host IRONPORT1 host Mail_Inside_AGH

access-list acl_dmz extended permit ip 192.168.103.0 255.255.255.0 any

access-list acl_dmz extended permit tcp host CITRIX-Appliance host CITRIXCSG-lan eq https inactive

access-list acl_dmz extended permit ip any host CITRIXCSG-lan inactive

access-list acl_dmz extended permit tcp host IRONPORT1 host Mail_Outside_AGH eq smtp

access-list acl_dmz extended permit tcp host Teleworker host 192.168.20.1 object-group MitelTCP2LAN

access-list acl_dmz extended permit udp host Teleworker host 192.168.20.1 object-group MitelUDP2LAN

access-list dmz_pnat_outbound extended permit ip object-group ExternalAccessFromDMZ any

access-list dmz_nat0_inbound extended permit ip 192.168.103.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_nat0_inbound extended permit ip host Teleworker host 192.168.20.1

access-list inside_pnat_outbound_AVON extended permit ip 192.168.21.0 255.255.255.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.22.0 255.255.255.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.23.0 255.255.255.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.24.0 255.255.248.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.32.0 255.255.240.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.48.0 255.255.248.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.56.0 255.255.252.0 any

access-list inside_pnat_outbound_AVON extended permit ip 192.168.60.0 255.255.255.0 any

access-list any extended permit ip any any

access-list inside_nat_AVON_Marshall extended permit ip host Mail_Inside_AVON any

access-list dmz_pnat1_outbound extended permit ip host Teleworker any

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging mail notifications

logging from-address uk

logging recipient-address ito@AGH.uk level critical

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool vpnpool 172.31.1.1-172.31.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo dmz

icmp permit any dmz

asdm image disk0:/asdm-625-53.bin

asdm location SVR-01 255.255.255.255 inside

asdm location svr-02 255.255.255.255 inside

asdm location IRONPORT1 255.255.255.255 dmz

asdm location 194.81.55.226 255.255.255.255 dmz

asdm location Server 255.255.255.255 inside

asdm location CITRIX-Appliance 255.255.255.255 dmz

asdm group ExternalAccess inside

asdm group ExternalAccessFromDMZ dmz

no asdm history enable

arp timeout 14400

global (outside) 2 x.x.x.121

global (outside) 1 x.x.x.125

global (outside) 3 Mail_Outside_AVON

global (outside) 4 Mail_Outside_AGH

global (outside) 5 teleworker_outside

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 2 access-list inside_pnat_outbound_AVON

nat (inside) 3 access-list inside_nat_AVON_Marshall

nat (inside) 1 access-list inside_pnat_outbound

nat (dmz) 0 access-list dmz_nat0_inbound outside

nat (dmz) 4 access-list dmz_pnat_outbound

nat (dmz) 5 access-list dmz_pnat1_outbound

static (inside,outside) tcp Icritical_Outside ssh Icritical ssh netmask 255.255.255.255

static (inside,outside) tcp Mail_Outside_AGH https Mail_Inside_AGH https netmask 255.255.255.255

static (dmz,outside) tcp Mail_Outside_AGH smtp IRONPORT1 smtp netmask 255.255.255.255

static (inside,outside) tcp Mail_Outside_AVON https Exchange_Inside_AVON https netmask 255.255.255.255

static (inside,outside) tcp Mail_Outside_AVON smtp Mail_Inside_AVON smtp netmask 255.255.255.255

static (inside,outside) udp Icritical_Outside snmp Icritical snmp netmask 255.255.255.255

static (dmz,outside) Citrix_Portal_outside CITRIX-Appliance netmask 255.255.255.255

static (inside,outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

static (dmz,outside) teleworker_outside Teleworker netmask 255.255.255.255

access-group acl_outside in interface outside

access-group acl_dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http oner 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer r.r.r.244

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh x.x.x.x 255.255.255.255 outside

ssh Mail_Inside_AGH 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server SVR-DC1 source inside prefer

group-policy VPN internal

group-policy VPN attributes

wins-server value 192.168.x.x 192.168.x.x

dns-server value 192.168.x.x 192.168.x.x

ipsec-udp enable

default-domain value ACE

username VPN password pmmPwcDD/inpnNfB encrypted privilege 0

username VPN attributes

vpn-group-policy VPN

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool vpnpool

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key ******

tunnel-group r.r.r.244 type ipsec-l2l

tunnel-group r.r.r.244 ipsec-attributes

pre-shared-key ****

tunnel-group-map default-group r.r.r.244

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect sip

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8360816431357f109b3c4b950d545c86

: end

20 Replies 20

Sorry forgot to change the interface,  This shows it as if it

is the implicit deny, i have tried adding additional access rule to allow any any but it still shows the same

The result clearly states that the ACL is blocking the traffic.

Could you do this:

access-list inside permit ip any any

access-group inside in interface inside

Actually the above lines is exactly as not having an ACL at all on the inside interface, but since we're having this problem, I'll suggest adding the rule and doing the Packet Tracer test again please.

Federico.

Hi Federico,

Sorry it took so long to get back to you, i had tried this already however i have tried this again and the same thing happening

2Jun 11 201010:21:34106001D_Toner49726192.168.72.103389Inbound TCP connection denied from D_Toner/49726 to 192.168.72.10/3389 flags SYN on interface inside

i am at a complete loss with this, any other suggestions.

Thanks,

Con

this route overlaps with the remote network

route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

I suggest either making this more specific subnet or adding something like

route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip

Otheriwse, if above does not help, do packet tracer  to simulate the same traffic that is failing on the 5510.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Regards,

I am sorry but i am not really sure

what you mean by this.  Can you break it down

a bit as to what you think i should try.

Thanks

On firewall "hostname casa" you have route

route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

You match address for the crypto map to encrypt is

access-list outside_1_cryptomap extended permit ip  192.168.3.0 255.255.255.0 192.168.72.0 255.255.255.0

The remote network on "hostname asa" has the network 192.168.72.0 255.255.255.0

However, because of your route inside statement (on hostname casa) , you are saying the network 192.168.72.0 is on the inside.

To correct this, you can add the following on hostname casa firewall

route outside 192.168.72.0 255.255.255.0 X.X.X.254

Point it to the outside, so the traffic will be sent to the outside interface, and then be hitting the crypto process and sent to the peer.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: