Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1511
Views
5
Helpful
7
Replies

ASA 5506W Site to Site VPN shared folders blocked

ShadowoftheD
Level 1
Level 1

‎03-14-2020 06:54 PM

Hi,

 

I'm not really sure if this is a network issue since I really don't know much about servers but we have a Branch Site vpn that has a ASA 5506X. Users can login from there to the AD however they can't seem to find the shared folders deployed like the users here in HQ. System guy says to allow ports 139 and 445 however I'm not really sure where to allow that or if that is the correct action. Although I tested it when i tried accessing ports 139 and 445 and HQ towards the file server i was able to access them but here at the branch I failed.

 

Here's my existing firewall rules in ASA

 

Branch firewall rules.PNG

 

Anyone else encountered this? 

 

Thanks

0 Helpful
7 Replies 7

Sheraz.Salim
VIP
VIP

‎03-15-2020 12:53 AM

make sure your AD ip address is included in crypto ACL and on identity nat statement. you can also use a packet-tracer utility to check if it working or not working. if traffic going from inside network than

 

packet-trace input inside tcp 192.168.1.20 445 172.16.1.20 445

 

where 192.168.1.20 is your local address and 172.16.1.20 is remote address at vpn tunnel.

 

 

please do not forget to rate.

ShadowoftheD
Level 1
Level 1
In response to Sheraz.Salim

‎03-15-2020 02:54 AM

Thanks.

 

ran the packet trace and its allowed

 

packet trace results.PNG

 

So this means my firewall rules and nat'ing are correct right? 

 

thanks

0 Helpful

Sheraz.Salim
VIP
VIP
In response to ShadowoftheD

‎03-15-2020 09:06 AM

can you run this command on the cli and past the output.

run these command too. and share the output

show crypto ipsec sa

show crypto ikev2 sa

please do not forget to rate.
0 Helpful

ShadowoftheD
Level 1
Level 1
In response to Sheraz.Salim

‎03-15-2020 06:25 PM

Hi, here's the output, that's a lot of information lol

 


show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 100.100.100.100

access-list outside_cryptomap extended permit ip 10.11.240.128 255.255.255.224 10.11.15.192 255.255.255.224
local ident (addr/mask/prot/port): (10.11.240.128/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.11.15.192/255.255.255.224/0/0)
current_peer: 200.200.200.200


#pkts encaps: 4541, #pkts encrypt: 4541, #pkts digest: 4541
#pkts decaps: 6001, #pkts decrypt: 6001, #pkts verify: 6001
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4541, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C4FC2BE7
current inbound spi : 4DB8C388

inbound esp sas:
spi: 0x4DB8C388 (1303954312)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 25925
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC4FC2BE7 (3304860647)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 25925
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 100.100.100.100

access-list outside_cryptomap extended permit ip 10.11.240.128 255.255.255.224 10.11.15.224 255.255.255.224
local ident (addr/mask/prot/port): (10.11.240.128/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.11.15.224/255.255.255.224/0/0)
current_peer: 200.200.200.200


#pkts encaps: 77362, #pkts encrypt: 77362, #pkts digest: 77362
#pkts decaps: 93328, #pkts decrypt: 93328, #pkts verify: 93328
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 77362, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C2C1B835
current inbound spi : CD54C578

inbound esp sas:
spi: 0xCD54C578 (3444884856)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 9271
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC2C1B835 (3267475509)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 9271
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 100.100.100.100

access-list outside_cryptomap extended permit ip 10.11.240.128 255.255.255.224 10.11.15.64 255.255.255.224
local ident (addr/mask/prot/port): (10.11.240.128/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.11.15.64/255.255.255.224/0/0)
current_peer: 200.200.200.200


#pkts encaps: 5162, #pkts encrypt: 5162, #pkts digest: 5162
#pkts decaps: 5238, #pkts decrypt: 5238, #pkts verify: 5238
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5162, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CFBA2CC0
current inbound spi : E7D3B07F

inbound esp sas:
spi: 0xE7D3B07F (3889410175)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 7976
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCFBA2CC0 (3485084864)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 7976
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 100.100.100.100

access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 10.11.15.224 255.255.255.224
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.11.15.224/255.255.255.224/0/0)
current_peer: 200.200.200.200


#pkts encaps: 2190, #pkts encrypt: 2190, #pkts digest: 2190
#pkts decaps: 3615, #pkts decrypt: 3615, #pkts verify: 3615
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2190, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C2577084
current inbound spi : 2C28D1C9

inbound esp sas:
spi: 0x2C28D1C9 (740872649)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 24877
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC2577084 (3260510340)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 24877
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 100.100.100.100

access-list outside_cryptomap extended permit ip 192.168.28.0 255.255.255.240 10.11.15.224 255.255.255.224
local ident (addr/mask/prot/port): (192.168.28.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.11.15.224/255.255.255.224/0/0)
current_peer: 200.200.200.200


#pkts encaps: 3366, #pkts encrypt: 3366, #pkts digest: 3366
#pkts decaps: 3366, #pkts decrypt: 3366, #pkts verify: 3366
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3366, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C46064D4
current inbound spi : C83B11AA

inbound esp sas:
spi: 0xC83B11AA (3359314346)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 5393
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC46064D4 (3294651604)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 5393
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 100.100.100.100

access-list outside_cryptomap extended permit ip 192.168.28.0 255.255.255.240 10.11.241.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.28.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.11.241.0/255.255.255.0/0/0)
current_peer: 200.200.200.200


#pkts encaps: 11235, #pkts encrypt: 11235, #pkts digest: 11235
#pkts decaps: 7506, #pkts decrypt: 7506, #pkts verify: 7506
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11235, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CBF1EA9B
current inbound spi : 97C16BC1

inbound esp sas:
spi: 0x97C16BC1 (2546035649)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 7334
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCBF1EA9B (3421629083)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 7334
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

REMOTE-FW01#

 

 

REMOTE-FW01# show crypto ikev2 sa

There are no IKEv2 SAs
REMOTE-FW01#

 

 

Thanks

0 Helpful

Sheraz.Salim
VIP
VIP
In response to ShadowoftheD

‎03-16-2020 12:51 AM

Your vpn looks healthy up and running. I also noted you running ikev1.

you have not sent the output of the packet tracer.

 

please do not forget to rate.
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-15-2020 09:00 AM

Hi,

 

    If your IPsec tunnel is up and functional, and IP traffic is allowed through the tunnel to flow (crypto ACL and possible VPN filters), and traffic through the tunnel is working normal, except for this specific one, do the following, assuming the setup as:

 

       Server-------(in)ASA1(out)-----------Internet----------(out)ASA2(in)-------User

 

Perform a packet capture on ASA1 and ASA2 on the inside interfaces, facing your network, for this specific flow. Post the captures here in PCAP format; also while you initiate the connection, on both ASA, look with "show conn long ...." and match on the proper IP's in order to see the state of the session in the ASA firewall.

 

 

Regards,

Cristian Matei.

0 Helpful

bhargavdesai
Spotlight
Spotlight

‎03-16-2020 05:26 AM

Do you have any Host based firewall/Antivirus on Server? Please check that. Your VPN seems good as per your information. You can run Packet Tracer from Both ASAs for your confirmation. Moreover, make sure you have not restricted traffic on VPN tunnel with VPN filters.

H2H
### RATE ALL HELPFUL RESPONSES ###
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card