topic Re: IPSEC Tunnel Traffic in Network Security

IPSEC Tunnel Traffic

rsatjharman — Fri, 21 Feb 2020 14:47:59 GMT

Hi,

I haven't had much luck on responses to this however here goes. I have an IPSEC VPN tunnel up and connected. I can ping a remote IP address from a local address however I cannot Telnet to Port 55019 of the same remote IP Address. It seems that the Telnet traffic does not get sent to the IPSEC Tunnel. When I run ping I can see that the Bytes Tx and Bytes Rx byte count in the result of the show vpn-sessiondb l2l . When I run the Telnet command from the same PC the count does not change which means that the Telnet traffic is not entering the VPN.

Would appreciate any assistance forthcoming.

Re: IPSEC Tunnel Traffic

Seb Rupik — Tue, 21 Nov 2017 08:02:39 GMT

Hi there,

What is the output of:

sh crypto map

If you have more that one crypto map entry, please tell us which index number it is.

cheers,

Seb.

Re: IPSEC Tunnel Traffic

Karsten Iwen — Tue, 21 Nov 2017 08:20:15 GMT

Unless you have a really strange NAT-setup, it's likely that it is related to access-control (on your ASA or a device between the client and the ASA). Simulate the traffic with the packet-tracer and observe the output.

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 18:41:30 GMT

Hi,
Not really sure which command to run from the CLI however please find
attached a screenshot from the menu

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 18:53:29 GMT

Result of the command: "sh crypto ipsec sa peer 124.240.212.118"

peer address: 124.240.212.118
Crypto map tag: SMSC, seq num: 1, local addr: 210.7.26.68

access-list outside_cryptomap_7 extended permit ip host 192.168.1.10
host 124.240.212.126
local ident (addr/mask/prot/port): (192.168.1.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (
124.240.212.126/255.255.255.255/0/0)
current_peer: 124.240.212.118

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 210.7.26.68/0, remote crypto endpt.:
124.240.212.118/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CD955D7B
current inbound spi : 437B62FD

inbound esp sas:
spi: 0x437B62FD (1132159741)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1150976, crypto-map: SMSC
sa timing: remaining key lifetime (sec): 3503
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001D
outbound esp sas:
spi: 0xCD955D7B (3449118075)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1150976, crypto-map: SMSC
sa timing: remaining key lifetime (sec): 3503
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 20:26:08 GMT

Hi Karsten,

As it is at the moment the ACL only allows IP and also in the Crypto Map menu only IP is protected however I need to add TCP from 192.168.1.10/any to 124.240.212.126/55019. Have tried this a few times still did not work maybe I am doing something wrong.

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 20:44:02 GMT

Hi Karsten,

Ran the packet tracer on the inside and outside interface, packet allowed on the inside interface but disallowed on the outside interface

Re: IPSEC Tunnel Traffic

Karsten Iwen — Tue, 21 Nov 2017 21:28:08 GMT

TCP is part of IP, if you have allowed IP there is no need to allow TCP (or UDP or ICMP, ...) in addition.

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 21:31:09 GMT

Okay so when I run the packet tracer it drops the packet on the outside interface there must be something else that I need to look at

Re: IPSEC Tunnel Traffic

Karsten Iwen — Tue, 21 Nov 2017 21:34:16 GMT

You can't simulate it from outside. And only looking at the result of the inside packet-tracer is not enough. Is NAT doing something unexpected like changing the traffic that it doesn't match any more the crypto-definition? Based on the screenshot it could be something like that.

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 21:47:29 GMT

Hi Karsten,
Any idea on where to look perhaps printout the NAT
settings etc....I'm stuck here everything else looks okay

Re: IPSEC Tunnel Traffic

Karsten Iwen — Tue, 21 Nov 2017 22:06:45 GMT

There are sections for NAT in the packet-tracer. Showing your NAT-config ("show run nat") could also help.

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 22:18:30 GMT

Result of the command: "sh run nat"

nat (inside,outside) source static PET_WB PET_WB destination static SMSC
SMSC no-proxy-arp route-lookup
nat (inside,outside) source static WEB_Server interface service any WEBRDP
nat (inside,outside) source static WEB_Server interface service any FTP
nat (inside,outside) source static WEB_Server interface service any HTTP
nat (inside,outside) source static WEB_Server interface service any HTTPS
nat (inside,outside) source static WEB_Server interface service any API
nat (inside,outside) source static WEB_Server interface service any APITEST
nat (inside,outside) source static POSH interface service any POSHRemote
nat (inside,outside) source static POSH interface service any poshSETUP
nat (inside,outside) source static WEB_Server WEB_Server destination static
TPNG TPNG no-proxy-arp route-lookup
nat (any,any) source static TPNG TPNG destination static WEB_Server
WEB_Server no-proxy-arp
!
object network LAN
nat (any,outside) dynamic interface

Re: IPSEC Tunnel Traffic

Karsten Iwen — Tue, 21 Nov 2017 22:48:49 GMT

ok, that's a mess ...

But it seems that you need a NAT-exemption for that traffic at the top of the NAT rules.

Re: IPSEC Tunnel Traffic

rsatjharman — Tue, 21 Nov 2017 23:01:29 GMT

I have cleaned it up as follows -
nat (inside,outside) source static WEB_Server interface service any WEBRDP
nat (inside,outside) source static WEB_Server interface service any FTP
nat (inside,outside) source static WEB_Server interface service any HTTP
nat (inside,outside) source static WEB_Server interface service any HTTPS
nat (inside,outside) source static WEB_Server interface service any API
nat (inside,outside) source static WEB_Server interface service any APITEST
nat (inside,outside) source static POSH interface service any POSHRemote
nat (inside,outside) source static POSH interface service any poshSETUP

object network LAN
nat (any,outside) dynamic interface

What are your suggestions moving forward ????