06-10-2015 08:05 PM - edited 03-11-2019 11:05 PM
Hello,
I understand this topic has been discussed before but after reading a lot of material I am still stuck. I have a IPfire Linux OpenVPN server running behind my ASA 5520. Essentially what I have done already to try to redirect or forward the client connections to my OpenVPN server is:
# static (inside, outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
# access-list from outside extended permit udp any any eq 1194
I know my OpenVPN server works because I connected it directly to my client bypassing the firewall. I can ping my OpenVPN server across the internet but for some reason I am unable to connect to it and I have tried creating a couple other access-list commands to further open the firewall but at this point I am still lost. Perhaps someone out there has some other ideas or things I can try?
Thanks in advance,
Joe
Solved! Go to Solution.
06-11-2015 10:01 AM
Hi,
ACL is misconfigured:-
Try to put this line at line 1:-
access-list from outside line 1 extended permit udp any any eq 1194
Thanks and Regards,
Vibhor Amrodia
06-11-2015 11:50 AM
Hi,
Yes , that is the issue. You have not applied the access group on the Outside interface.
Access-group <acl name> in interface outside.
Thanks and Regards,
Vibhor Amrodia
06-10-2015 10:55 PM
Hi Daniel,
Can you please try with packet-tracer.
'packet-tracer input outside udp 4.2.2.2 12345 10.10.0.2 1194 detail'. Does it show any drop in output?
With this, you can try troubleshooting. Please share the above output if possible.
Let me know if you have any query.
Regards,
Akshay Rastogi
06-11-2015 08:34 AM
Hello Akshay,
Thanks for your interest in this problem. So I just did what you ask and below displays the output
packet-tracer input outside udp 4.2.2.2 12345 10.10.0.2 1194$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71402d48, priority=1, domain=permit, deny=false
hits=348428, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.0.0 255.255.0.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71403088, priority=0, domain=permit, deny=true
hits=335870, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I am not familiar with using this tool although it seems powerful but it would appear that the firewall is preventing me access to my VPN server since the last "Action: drop" displays drop, perhaps someone can confirm this?
Thanks again for your help,
Joe
06-11-2015 09:27 AM
Hi,
Actually you needed to run this tracer:-
packet-tracer input outside udp 4.2.2.2 12345 <Interface IP of Outside interface> 1194 det
Thanks and Regards,
Vibhor Amrodia
06-11-2015 09:58 AM
Hey Vibhor,
So I performed the new trace the result is below:
packet-tracer input outside udp 4.2.2.2 12345 "Outside IP Address" 1194 det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
match udp inside host 10.10.0.2 eq 1194 outside any
static translation to "Outside IP address"/1194
translate_hits = 0, untranslate_hits = 15
Additional Information:
NAT divert to egress interface inside
Untranslate "Outside IP address"/1194 to 10.10.0.2/1194 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71403088, priority=0, domain=permit, deny=true
hits=375304, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-11-2015 10:01 AM
Hi,
ACL is misconfigured:-
Try to put this line at line 1:-
access-list from outside line 1 extended permit udp any any eq 1194
Thanks and Regards,
Vibhor Amrodia
06-11-2015 10:54 AM
Thanks vibhor for correcting me on this. I mistakenly typed real IP instead of interface IP.
Regards,
Akshay Rastogi
06-11-2015 11:11 AM
Hey Vibhor,
Unfortunately I am still having some acl issues. I applied the exact rule you mentioned which was pretty close to what I already had and I still do not have connectivity
packet-tracer
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
match udp inside host 10.10.0.2 eq 1194 outside any
static translation to "Outside IP"/1194
translate_hits = 0, untranslate_hits = 20
Additional Information:
NAT divert to egress interface inside
Untranslate "Outside IP"/1194 to 10.10.0.2/1194 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71403088, priority=0, domain=permit, deny=true
hits=401974, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-11-2015 11:14 AM
Hi,
I think the packet trace which you ran might be incorrect and this should be like this:-
packet-tracer input outside udp 4.2.2.2 12345 "Outside IP Address" 1194 det
Also , can you paste these outputs from the ASA:-
show run access-group
sh run access-list <outside>
Thanks and Regards,
VIbhor Amrodia
06-11-2015 11:43 AM
Vibhor,
I did not get any other new or relevant information from the other commands you suggested. The packet-trace fails and the connection fails. My current rules are:
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
access-list from_outside extended permit udp any any eq 1194
access-list from_outside extended permit icmp any any echo
access-list 101 extended permit udp any interface outside eq 1194
access-list to_inside extended permit udp any host 10.10.0.2 eq 1194
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400global (outside) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
policy-map global_policy
class inspection_default
inspect tftp
inspect netbios
inspect sip
inspect xdmcp
inspect sunrpc
inspect skinny
inspect sqlnet
inspect esmtp
inspect rtsp
inspect rsh
inspect h323 ras
inspect ftp
inspect h323 h225
inspect dns preset_dns_map
inspect icmp
!
service-policy global_policy global
06-11-2015 11:50 AM
Hi,
Yes , that is the issue. You have not applied the access group on the Outside interface.
Access-group <acl name> in interface outside.
Thanks and Regards,
Vibhor Amrodia
06-11-2015 12:03 PM
Just to fallow up that was the trick that worked for packet-trace. Unfortunately, it looks like I have something else not working but I will investigate. Thanks for your help Vibhor!
06-11-2015 12:20 PM
Hi,
That's great that it fixed this issue. I would request you to select the appropriate response as the solution for this thread.
Thanks and Regards,
Vibhor Amrodia
06-12-2015 07:04 AM
I will select appropriate response now since I just verified everything works from my home network. For some reason it was being blocked by my work network.
Thanks again for your help!
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide