topic Re: Site-To_Site_DMZ in Network Security

Site-To_Site_DMZ

Stephen Sisson — Tue, 12 Mar 2019 02:20:46 GMT

Hello all,

I worked with you a few days back on a site-to-site using to 5505 ASA's in a lab before deploying, with your help that is working.

We are moving to deploy into production with some different settings, as the customers site remains the same but we will move from using the local interface nameif inside to our DMZ - first thing is will this work through site-to-site?

We have the ASA on our end configured to use site-to-site through our DMZ interface, we created the ACL, then the NAT, we can't ping anything on their local subnet or they ping our local subnet.

I really need you help to show what I missed or failed to implement

Thank you

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 15:19:41 GMT

Hi,

So I assume that on the ASA PCS-EW-VPN you want to use the "EWVPN" interface instead of "inside"?

Notice that you have to modify the NAT rule there

no nat (inside,outside) source static net-local net-local destination static net-remote net-remote

nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote

This is because it still has the old source interface. The current rule only applies between "inside" and "outside" interface. Since you want to change the local interface for the VPN you will also have to change the local interface for the NAT configuration.

Also I would suggest changing this NAT configuration also to avoid future problems

no nat (EWVPN,outside) source dynamic any interface

nat (EWVPN,outside) after-auto source dynamic any interface

The configuration I suggest removing is at so high priority that you might have problems in the future if you try to configure some additional NAT rules for interface "EWVPN". So a bit pre-emptive change to the configuration.

- Jouni

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 15:38:45 GMT

Hello Jouni, I'm very sorry to bother you with this again my friend, really nice to have your expertise...

I made the changes as shown for both NAT's, we still can't ping local network.

I'm running packet tracer on both with ASA -PCS-lab-EW-VPN completes with all green check marks, the ASA-PCS-EW-VPN fails to complete the trace route at VPN.

Thank you

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 15:43:26 GMT

Hi,

Do you mean a "packet-tracer" fails on some ASA or a Traceroute? Traceroute to what?

If you mean "packet-tracer" then can you share the output from the CLI.

- Jouni

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 15:44:31 GMT

My Bad, should read Packet-tracer

Re: Site-To_Site_DMZ

Marius Gunnerud — Fri, 02 Aug 2013 15:47:03 GMT

In addition to what Jouni has said, you might also need to clear the xlate table to get this working right away instead of having to wait for it to timeout.

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 15:52:42 GMT

Jouni,

I figured out how to run the Packet-tracer from the command-line as shown below

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.10/21 to 10.10.10.10/21

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 172.16.5.2/21 to 172.16.5.2/21

Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Site-To_Site_DMZ

Marius Gunnerud — Fri, 02 Aug 2013 15:57:45 GMT

You will need to run the packet tracer twice. The first time it will show as drop because the VPN tunnel is most likely not up. The first trace will bring the tunnel up, and the second trace should give you the real result of the trace.

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 15:58:54 GMT

Hi,

Can you issue the command twice.

Usually when we have a L2L VPN connection and we use the "packet-tracer" to simulate a packet going to the L2L VPN the first "packet-tracer" will always produce a drop.

So can you issue the command again. Also mention the command used.

Though then again if you have issued a corresponding "packet-tracer" command on the other side and it goes through it doesnt make sense.

In that case you could perhaps try issue this command on both ASAs and then issue the "packet-tracer" commands again.

clear crypto ikev1 sa

- Jouni

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 16:08:41 GMT

Packet-trace 2 complete - looks good with green check marks - still not able to ping remote local network on either side

PCS-EW-VPN(config)# packet-tracer input EWVPN tcp 172.16.5.2 21 10.10.10.10 21

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2525, packet dispatched to next module

Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 16:11:32 GMT

Hi,

It doesnt seem to mention a VPN phase.

As if it was just sending the traffic to the Internet.

But on the VPN configurations it seemed to me that the networks matched on each side so there should be some phase.

If you are making configurations through the ASDM I would double check that no essential configurations were removed.

- Jouni

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 16:16:00 GMT

What should I do - wipe both ASA's then start over?

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 16:22:27 GMT

Hi,

You can try to attach the current configurations to the post.

Naturally if there is a chance that there is just some wierd problem with the ASAs you can save the configuration and reboot both devices since this is still a lab setup.

Though looking through your current CLI format configuration should tell what the problem is.

- Jouni

Site-To_Site_DMZ

Marius Gunnerud — Fri, 02 Aug 2013 16:25:08 GMT

Is this lab setup using GNS3, If so, this can at time be a bit quirky and trashing the whole setup and rebuilding will resolve the problem most of the time.

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 16:30:52 GMT

Nope , using two brand new ASA's 5505, will deploy them next week - with one at my current location and the other at customer site

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 16:32:37 GMT

Sure - both ASA rebooted, we still can't ping or use anything like RDP to local network, sending both configs

ASA1

ASA Version 8.4(5)

hostname PCS-lab-EW-VPN

domain-name sccul.org

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 3

interface Ethernet0/3

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 209.177.212.103 255.255.255.0

interface Vlan3

nameif EWVPN

security-level 98

ip address 172.16.17.1 255.255.255.0

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.1

domain-name sccul.org

object network obj_any

subnet 0.0.0.0 0.0.0.0

description PAT_inside_Outside_on_TW_Circuit

object network net-local

subnet 10.10.10.0 255.255.255.0

object network net-remote

subnet 172.16.5.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu EWVPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static net-local net-local destination static net-remote net-remote

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 209.177.212.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

http 172.16.1.0 255.255.255.0 EWVPN

http 70.61.194.0 255.255.255.240 outside

http 209.177.212.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 70.61.194.178

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 60

ssh 10.10.10.0 255.255.255.0 inside

ssh 209.177.212.0 255.255.255.0 outside

ssh 172.16.1.0 255.255.255.0 EWVPN

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.87.104.40 source outside

ntp server 64.113.32.9 source outside

ntp server 50.22.155.163 source outside

webvpn

username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15

username admin1 password mNquohzwaXofLKzA encrypted privilege 15

tunnel-group 70.61.194.178 type ipsec-l2l

tunnel-group 70.61.194.178 ipsec-attributes

ikev1 pre-shared-key cisco123

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6865776390ce5bf69108b5f69386eb65

: end

ASA2

ASA Version 8.4(5)

hostname PCS-EW-VPN

domain-name sccul.org

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 3

interface Ethernet0/3

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.248 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 70.61.194.178 255.255.255.240

interface Vlan3

nameif EWVPN

security-level 98

ip address 172.16.5.1 255.255.255.0

boot system disk0:/asa845-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.1

domain-name sccul.org

object network obj_any

subnet 0.0.0.0 0.0.0.0

description PAT_inside_Outside_on_TW_Circuit

object network net-local

subnet 172.16.5.0 255.255.255.0

object network net-remote

subnet 10.10.10.0 255.255.255.0

access-list EWVPN_access-in extended permit ip any any

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu EWVPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote

object network obj_any

nat (inside,outside) dynamic interface

nat (EWVPN,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 70.61.194.177 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.16.5.0 255.255.255.0 EWVPN

http 70.61.194.0 255.255.255.240 outside

http 209.177.212.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 209.177.212.103

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 60

ssh 192.168.1.0 255.255.255.0 inside

ssh 209.177.212.0 255.255.255.0 outside

ssh 172.16.5.0 255.255.255.0 EWVPN

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.87.104.40 source outside

ntp server 64.113.32.9 source outside

ntp server 50.22.155.163 source outside

webvpn

username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15

username admin1 password mNquohzwaXofLKzA encrypted privilege 15

tunnel-group 209.177.212.103 type ipsec-l2l

tunnel-group 209.177.212.103 ipsec-attributes

ikev1 pre-shared-key cisco123

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:bccba008500a803d23f0933a87c0a791

: end

Thank you

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 16:37:19 GMT

Hi,

PCS-EW-VPN ASA is missing a "crypto map" related command

Add this

crypto map outside_map 1 match address outside_1_cryptomap

- Jouni

Site-To_Site_DMZ

Marius Gunnerud — Fri, 02 Aug 2013 16:41:40 GMT

If that doesn't solve it, please provide which license is installed on your ASAs

Site-To_Site_DMZ

Stephen Sisson — Fri, 02 Aug 2013 16:49:14 GMT

Applied the crypto map outside_map 1 match address outside_1_cryptomap to PCS-EW_VPN ASA still not able to ping.

License on both ASA's

Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

Thank you

Re: Site-To_Site_DMZ

Jouni Forss — Fri, 02 Aug 2013 16:54:22 GMT

Hi,

Can you issue the "packet-tracer" command again on that same ASA unit (twice)

Could you also tell us between which devices are you attempting to ICMP? This cant be done from the ASA directly atleast so I assume that you are ICMP between hosts? Have you confirmed that those hosts are attached to the correct ports and have the correct IP addresses and gateways if you have change the INSIDE -> DMZ for this setup on the other ASA?

I cant see no problem with the configurations at the moment. They should enable the L2L VPN negotiation to go through. But as you saw, you didnt have the configuration above on the other ASA that defines the local and remote networks on the L2L VPN connection so I think the ASDM might have removed that during some configurations.

You can naturally add the following commands on both ASAs for ICMP

fixup protocol icmp

fixup protocol icmp error

Those are old format commands but should convert to "inspect" command

Alternatively you can add them in the following way

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Can the ASAs ping eachothers WAN interfaces at the moment?

When you issue the "packet-tracer" command or have a continuous ICMP from some host behind the "EWVPN" interface or "inside" on the other ASA, what can you see with the command

show crypto ikev1 sa

Try to issue it several times during testing to see what it shows

You could also use the command

show crypto ipsec sa

To view if the Phase2 has gone through and if packets have gone through the L2L VPN in either direction.

There is always a chance that something else than the ASA is stopping the ICMP traffic.

- Jouni