Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble with ACL in ASA-5504 IPSec config

I'm trying to get an IPSec tunnel up between two ASA-5540s. There is a PC (SunMed_PC) behind ASA-5540-B and a laptop (GHC-laptop) behind ASA-5540-A. If the crypto map allows all IP, via the outside_cryptomap ACL, then the tunnel comes up an FTP session is established.

But, when I restrict the traffic to FTP, the following error log message is generated:

...Group = 164.72.1.147, IP = 164.72.1.147, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 164.72.1.155/255.255.255.255/6/0 local proxy 164.72.1.135/255.255.255.255/6/21 on interface outside

Here are the configs giving only the pertinent commands. I added the ACL 100 and 'access-group 100 in interface inside', but that didn't change the error.

Any idea what I am missing?

ROC-ASA5540-A

names

name 164.72.1.135 GHC_Laptop description For VPN testing

name 164.72.1.155 SunMed_pc description For VPN testing

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 164.72.1.129 255.255.255.240

!

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 164.72.1.145 255.255.255.248

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

access-list 100 extended permit ip any any

asdm image disk0:/asdm-603.bin

access-group 100 in interface inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 164.72.1.147

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy Lan-2-Lan_only internal

group-policy Lan-2-Lan_only attributes

vpn-filter none

vpn-tunnel-protocol IPSec

tunnel-group 164.72.1.147 type ipsec-l2l

tunnel-group 164.72.1.147 general-attributes

default-group-policy Lan-2-Lan_only

tunnel-group 164.72.1.147 ipsec-attributes

pre-shared-key *

!

: end

----------------------------------------------------------------------------------------------------------

ROC-ASA5540-B# sh run

ASA Version 8.0(3)

!

names

name 164.72.1.135 GHC_laptop

name 164.72.1.155 SunMed_PC

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 164.72.1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 164.72.1.147 255.255.255.248

!

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

access-list 100 extended permit ip any any

asdm image disk0:/asdm-603.bin

access-group 100 in interface inside

route outside 164.72.1.128 255.255.255.240 GHC-Medical 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer GHC-Medical

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy Lan-2-Lan internal

group-policy Lan-2-Lan attributes

vpn-tunnel-protocol IPSec

tunnel-group 164.72.1.145 type ipsec-l2l

tunnel-group 164.72.1.145 general-attributes

default-group-policy Lan-2-Lan

tunnel-group 164.72.1.145 ipsec-attributes

pre-shared-key *

: end

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Trouble with ACL in ASA-5504 IPSec config

Your acl mapped on the crypto map is suspect on the first device :

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

The source port should not be defined since it

is dynamic.

The second acl appears corrected :

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

8 REPLIES
New Member

Re: Trouble with ACL in ASA-5504 IPSec config

It looks to me that one access list has a restriction to port 21 and the other does not. I have seen this cause similar issues in the past.

New Member

Re: Trouble with ACL in ASA-5504 IPSec config

Is there a config guide that explains how to set up a working tunnel and restricting what TCP ports can bring up the tunnel? All the PDF config examples I've been able to find only describe permitting/denying IP traffic - nothing more granular.

New Member

Re: Trouble with ACL in ASA-5504 IPSec config

I don't know of any guides and i did just search and couldnt find any.

I would suggest removing the "eq ftp" from the crypto ACL on ASA 5540-A. That may resolve your issue. The access lists on both sides have to match up and i dont think the "eq ftp" is needed because of the object-group.

Also, which pc is the ftp server and which is the client?

New Member

Re: Trouble with ACL in ASA-5504 IPSec config

The GHC_PC (164.72.1.135) is the FTP server. I can remove the "eq ftp" from th A box, but I want to be able to restrict to only FTP on ports between both devices. Maybe I'm not understanding how the object-group works as regards to source/destination ports.

Green

Re: Trouble with ACL in ASA-5504 IPSec config

Interesting traffic access lists are not meant to be extended acl's, meaning they should not include port information. If you want to limit the traffic which goes over the tunnel, there are ways to do this, but trying to limit what brings the tunnel up won't work well.

New Member

Re: Trouble with ACL in ASA-5504 IPSec config

New Member

Re: Trouble with ACL in ASA-5504 IPSec config

I checked out the link that justinlala sent and was able to restrict traffic through the tunnel using the method of creating an ACL and applying it to the Lan-2-lan group-policy.

So what this means is that I cannot get granular on what is 'interesting traffic' - I can't use an extended ACL. So that means that anything can/will bring the tunnel up and then the group-policy ACL will restrict the traffic after that?

That doesn't seem very well thought out by Cisco - and it certainly isn't very elegant. With Cisco IOS and the Cisco Concentrator, one can be very granular on what is considered 'interesting traffic'. Why would the ASA force one to bring a tunnel up and then restrict traffic? I don't even know if that would pass security muster.

Am I still missing something here?

New Member

Re: Trouble with ACL in ASA-5504 IPSec config

Your acl mapped on the crypto map is suspect on the first device :

access-list outside_cryptomap extended permit tcp host GHC_Laptop eq ftp host SunMed_pc object-group DM_INLINE_TCP_1

The source port should not be defined since it

is dynamic.

The second acl appears corrected :

access-list outside_cryptomap extended permit tcp host SunMed_PC host GHC_laptop object-group DM_INLINE_TCP_1

629
Views
3
Helpful
8
Replies