Solved: Re: Stupid Question - Page 2

majedalanni · ‎03-13-2013

Hi, I have the senario below

192.168.1.0/24 (192.168.1.5 log server) firewall(A) --------------tunnel -------switches-------- firewall(B) 192.168.2.0/24

Can I send logs from the switches to the firewall B and then to the firewall(A) via the tunnel with some nating or port forwarding configuration in firewall(B)?

Thanks in advance

Mike

majedalanni · ‎03-25-2013

yes I was able to send the log to the log server but the problem I faced that all the switches using the same internal IP. I tried to send it but not changing the source ip to internal one but that's not work. So I will keep trying or if you can think something help. if that does not work my only solution is to nat each switch to an unique internal ip and send the log to the log server and Identify them by internal IP.

James Leinweber · ‎03-25-2013

If you have configured the "hostname XXX" on the switches that name should be included in the syslog messages.

-- Jim Leinweber

jocamare · ‎03-25-2013

Try it this way:

nat (outside,outside) source static destination static service syslog syslog

This will keep the source IP intact, but you have to make sure to include the addresses of the switches in the Access-lists that define the VPN's interesting traffic, like this:

access-list ISP1_3_cryptomap extended permit ip Firewalla_Private 255.255.255.0

majedalanni · ‎03-26-2013

it doesn't work looks the packet not passing the VPN

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static mypc mypc destination static interface server service syslog syslog
Additional Information:
NAT divert to egress interface outside
Untranslate firewallip/514 to logserver/514

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object syslog object mypc object server
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static sw sw destination static interface logserver service syslog syslog

Additional Information:
Static translate sw ip/1065 to firewalla ip/1065

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

jocamare · ‎03-26-2013

Can you attach the current configuration of the ASA as a reply for this post?

Also, please specify the IP address of the Sw.

majedalanni · ‎03-26-2013

ASA Version 8.4(5)
!
hostname ciscoasa
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.95 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 172.25.101.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_172.25.101.0_24
subnet 172.25.101.0 255.255.255.0
object network NETWORK_OBJ_172.25.3.0_24
subnet 172.25.3.0 255.255.255.0
object network sw
host x.x.x.247
object network logserver
host 172.25.3.213
object service syslog
service udp destination eq syslog
object network insidepc
host 172.25.101.2

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 172.25.3.0 255.255.255.0

access-list outside_access_in extended permit object syslog object mypc object server

access-list outside_cryptomap_1 extended permit ip object mypc 172.25.3.0 255.255.255.0

pager lines 24
logging enable
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 172.25.3.53 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source static sw sw destination static interface logserver service syslog syslog
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
user-identity action ad-agent-down disable-user-identity-rule
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.25.3.9 source inside prefer
webvpn
group-policy GroupPolicy_y.y.y.y internal
group-policy GroupPolicy_y.y.y.y attributes
vpn-tunnel-protocol ikev1

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 172.25.3.0 255.255.255.0

access-list outside_access_in extended permit object syslog object sw object logserver
access-list outside_cryptomap_1 extended permit ip object sw 172.25.3.0 255.255.255.0

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y general-attributes
default-group-policy GroupPolicy_y.y.y.y
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
flow-export event-type all destination 172.25.3.53

jocamare · ‎03-26-2013

Did you specify the interesting traffic on the other endpoint the same way you configured it in your ASA?

Also, provide the output of the "show crypto ipsec sa" command.

majedalanni · ‎03-26-2013

because the packet not passing at all so did not configure the other end

show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.95

      access-list outside_cryptomap extended permit ip 172.25.101.0 255.255.255.0 172.25.3.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.25.101.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.25.3.0/255.255.255.0/0/0)
      current_peer: y.y.y.y

      #pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92
      #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.95/0, remote crypto endpt.: y.y.y.y/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: D2A20B9F
      current inbound spi : 09309044

    inbound esp sas:
      spi: 0x09309044 (154177604)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 20480, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/27395)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x1FFFFFFF
    outbound esp sas:
      spi: 0xD2A20B9F (3533835167)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 20480, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373966/27395)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

jocamare · ‎03-26-2013

The issue is missing configuration on the other end, the output is not showing any SA for traffic coming from the switch, which happens when both units don't have the same interesting traffic configured.

It also explains the reason why it works when we translate the Sw's IP to an internal IP, it works because the side is going to encryp internal IPs, not the Sw's IP.

Makes sense?

majedalanni · ‎03-26-2013

Yes makes sense, will check and update you. if its worked can we do it on version 8.2(5) ?

Thanks

jocamare · ‎03-26-2013

Yes, it's easier in 8.4 though.

majedalanni · ‎03-26-2013

OK, I did it for the 8.2(5) too, looks my main problem was the the other VPN interested traffic!

Thanks a lot for your patient and help

majedalanni · ‎02-27-2014

Hi Again,

Now I have same problem when I switched to IKEv2, if I created the tunnel with protocols IKEv1 and IKEv2, the tunnel for two private network work on IKEv2, but when a switch sends logs the generated tunnel is IKEv1, If I turned off IKEv1 no more logs goes to the Syslog server and no tunnel generated. any idea why is that, is it a bug or IKEv2 limitation that cannot create tunnels when specific port configured?

Thanks in advance

Mike