ASA5505 Can't get traffic into IPSEC tunnel...

abatson · ‎12-15-2013

I'm out of ideas as to why I can't get traffic into my IPSEC tunnel. When I create 'interesting' traffic, the tunnel comes up just fine and Phase-2 completes just fine. When I send a packet with SRC=192.168.27.11 and DST=192.168.4.160 and port= TCP/21, I always get the following error:

Inbound TCP connection denied from 192.168.27.11/4467 to 192.168.4.160/21 Flag SYN on Interface EXT-FTP

What am I doing wrong?

==============================================

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.12.13 08:52:04 =~=~=~=~=~=~=~=~=~=~=~=

DASS-VPN# show run

: Saved

:

ASA Version 8.2(1)

!

hostname DASS-VPN

domain-name dass

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

names

name 192.168.6.115 Remote_FTP1

name 192.168.6.116 Remote_FTP2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.28.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 123.123.123.123 255.255.254.0

!

interface Vlan3

nameif DMZ

security-level 50

ip address 192.168.1.2 255.255.255.0

!

interface Vlan4

nameif LEO-GEO_LUT

security-level 80

ip address 192.168.29.1 255.255.255.0

!

interface Vlan5

nameif EXT-FTP

security-level 70

ip address 192.168.27.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 4

!

interface Ethernet0/5

switchport access vlan 3

speed 100

duplex full

!

interface Ethernet0/6

switchport access vlan 5

speed 100

duplex full

!

interface Ethernet0/7

!

banner login This computer is for authorized users only. By accessing this system you are

banner login consenting to complete monitoring with no expectation of privacy. Unauthorized access or use may

banner login subject you to disciplinary action and criminal prosecution.

banner motd This computer is for authorized users only. By accessing this system you are

banner motd consenting to complete monitoring with no expectation of privacy. Unauthorized access or use may

banner motd subject you to disciplinary action and criminal prosecution.

ftp mode passive

dns server-group DefaultDNS

domain-name dass

object-group service HP-Print tcp

port-object eq 9100

object-group service KACE-AMP tcp

port-object eq 52230

object-group service RDP tcp

port-object eq 3389

access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list exclude_from_nat extended permit ip host 192.168.28.74 host 192.168.4.160

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Remote_FTP1

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Remote_FTP2

access-list toRemote extended permit ip host 192.168.28.74 host 192.168.4.160

access-list toRemote extended permit ip host 192.168.27.11 host 192.168.4.160

access-list toRemote extended permit ip host 192.168.28.72 host Remote_FTP1

access-list toRemote extended permit ip host 192.168.28.72 host Remote_FTP2

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data

access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo

access-list Remote_vpn_filter extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp

access-list Remote_vpn_filter extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp

access-list Remote_vpn_filter extended permit tcp host Remote_FTP2 host 192.168.28.72 eq ftp

access-list Remote_vpn_filter extended permit tcp host Remote_FTP2 eq ftp host 192.168.28.72

access-list Remote_vpn_filter extended permit tcp host Remote_FTP1 host 192.168.28.72 eq ftp

access-list Remote_vpn_filter extended permit tcp host Remote_FTP1 eq ftp host 192.168.28.72

access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)

access-list outside_access_in extended permit tcp 123.123.0.0 255.255.0.0 host 123.123.188.40 eq ftp

access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.123.123 eq https

access-list outside_access_in extended permit tcp 124.124.50.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp 124.124.49.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp 124.124.48.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp host 123.123.167.110 host 123.123.123.123 eq ssh

access-list outside_access_in extended permit tcp 124.124.47.0 255.255.255.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.123.123 eq ssh

access-list outside_access_in extended permit tcp 128.154.224.0 255.255.224.0 host 123.123.123.123 eq https log

access-list outside_access_in extended permit tcp host 123.123.166.209 host 123.123.188.40 object-group RDP

access-list outside_access_in extended permit tcp host 123.123.213.189 host 123.123.188.40 object-group RDP

access-list outside_access_in extended permit tcp host 123.123.232.102 host 123.123.188.40 object-group RDP

access-list outside_access_in extended permit tcp host 123.123.232.184 host 123.123.188.40 object-group RDP

access-list DMZ_access_in remark Allows traffic inbound from frame-relay

access-list DMZ_access_in extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp

access-list DMZ_access_in extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp

access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit ip any any

access-list inside_access_in remark Allows traffic into ASA from Inside

access-list inside_access_in extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp

access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp

access-list inside_access_in extended permit tcp any host 123.123.244.132 object-group KACE-AMP

access-list inside_access_in extended permit tcp host 192.168.28.100 host 192.168.27.11 eq ftp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list FTP-test remark For testing FTP packets

access-list FTP-test extended permit tcp host 192.168.28.72 host 192.168.4.160

access-list NEO-GEO_LUT-in remark allows traffic out of NEO-GEO net

access-list NEO-GEO_LUT-in extended permit udp any host 123.123.244.173 eq domain

access-list NEO-GEO_LUT-in extended permit udp any host 123.123.50.17 eq domain

access-list NEO-GEO_LUT-in extended permit udp any host 123.123.10.134 eq domain

access-list NEO-GEO_LUT-in extended permit tcp any host 192.168.28.143 object-group HP-Print

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.21 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.23 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.11 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.13 host 192.168.27.11 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp

access-list NEO-GEO_LUT-in extended deny ip any 192.168.28.0 255.255.255.0

access-list NEO-GEO_LUT-in extended permit ip any any

access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp

access-list EXT-FTP-in remark allows traffic out of EXT-FTP network

access-list EXT-FTP-in extended permit ip any any

access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list FTP-no-nat extended permit ip 192.168.27.0 255.255.255.0 host 192.168.4.160

access-list DMZ-no-nat extended permit ip host 192.168.4.160 host 192.168.28.74

access-list DMZ-no-nat extended permit ip host 192.168.4.160 host 192.168.27.11

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging trap informational

logging history notifications

logging asdm informational

logging facility 16

logging device-id hostname

logging host outside 123.123.195.171

logging host outside 123.123.167.138

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu LEO-GEO_LUT 1500

mtu EXT-FTP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any unreachable outside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list exclude_from_nat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ-no-nat

nat (LEO-GEO_LUT) 0 access-list LUT-no-nat

nat (LEO-GEO_LUT) 1 0.0.0.0 0.0.0.0

nat (EXT-FTP) 0 access-list FTP-no-nat

nat (EXT-FTP) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.28.74 https netmask 255.255.255.255

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group NEO-GEO_LUT-in in interface LEO-GEO_LUT

access-group EXT-FTP-in in interface EXT-FTP

route outside 0.0.0.0 0.0.0.0 123.123.188.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 65000

http 192.168.28.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map DassVPN 500 match address toRemote

crypto map DassVPN 500 set pfs

crypto map DassVPN 500 set peer 10.10.10.10

crypto map DassVPN 500 set transform-set ESP-3DES-MD5

crypto map DassVPN 1000 match address toTSI

crypto map DassVPN 1000 set pfs

crypto map DassVPN 1000 set peer 11.11.11.11

crypto map DassVPN 1000 set transform-set ESP-DES-MD5

crypto map DassVPN interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 500

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 1000

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 1000

telnet timeout 60

ssh 192.168.28.0 255.255.255.0 inside

ssh xxxxxxxxxxxxxx 255.255.255.255 outside

ssh xxxxxxxxxxxxxxxx 255.255.255.255 outside

ssh xxxxxxxxxxxxxxxxxxx 255.255.255.255 outside

ssh timeout 60

console timeout 60

dhcpd ping_timeout 750

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.28.50 source inside prefer

tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt

webvpn

group-policy RemotePolicy internal

group-policy RemotePolicy attributes

vpn-filter value Remote_vpn_filter

vpn-tunnel-protocol IPSec

group-policy TSIPolicy internal

group-policy TSIPolicy attributes

vpn-filter value tsi_policy

vpn-tunnel-protocol IPSec

username xxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15

tunnel-group 11.11.11.11 type ipsec-l2l

tunnel-group 11.11.11.11 general-attributes

default-group-policy TSIPolicy

tunnel-group 11.11.11.11 ipsec-attributes

pre-shared-key *

tunnel-group 10.10.10.10 type ipsec-l2l

tunnel-group 10.10.10.10 general-attributes

default-group-policy RemotePolicy

tunnel-group 10.10.10.10 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:fef923d5e39c88463a4148373980aea0

: end

DASS-VPN#

abatson · ‎12-17-2013

Here's something interesting.. When I look up the error-number on the following error, which I'm re-quoting, it doesn't seem to be an error where traffic is being dropped via an ACL, it's an error where something's being prevented by policy... Google indicates that it may be something not working properly with the NAT or no-NAT config, surrounding my SRC and DST...

ASA-2-106001 Inbound TCP connection denied from 192.168.27.11/1178 to 192.168.4.160/21 flags SYN on interface EXT-FTP

abatson · ‎12-18-2013

Can someone say whether these two statements are to blame? Which one wins out?

nat (EXT-FTP) 0 access-list FTP-no-nat

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

Jon Marshall · ‎12-18-2013

In answer to your specific question the first one wins out which is what you want ie. from the 82. config guide -

The ASA matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the ASA.

So your NAT exemption is the first in the list so it should be working.

I can't see anything wrong with your config. Do the hosts in the EXT-FTP subnet need to talk to any other subnets other than outside ? I ask because a quick test may be to remove the acl and retest. The VPN is accessible via the outside interface so traffic will be allowed without an acl for that but obviously not to any interface with a higher security level.

Jon

abatson · ‎12-19-2013

@jon.marshal -- the EXT-FTP hosts need to talk to the "inside" and 'LEO-GEO_LUT' segments. I was thinking of removing the ACL protecting the EXT-FTP subnet & test... Another posting on another site said that I need to use the 'same-security-traffic' commands as a work-around, because there's a bug withi 8.3 that might also be affecting my 8.2(1) OS, in not allowing this traffic to move. So maybe we're looking at, "the config is fine & this SHOULD work...." --but there's a bug that requires a work-around.

Jon Marshall · ‎12-19-2013

So maybe we're looking at, "the config is fine & this SHOULD work...." --but there's a bug that requires a work-around.

It could well be. Your config looks spot on to me and i can't see why it wouldn't work. It definitely isn't the NAT statements, i think the EX-FTP is just dropping the traffic for some reason even though you have a permit ip any any in your acl.

Jon

abatson · ‎12-19-2013

I just tried the following two commands, w/o beneficial impact. Still get the error.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

I bounced the IPSEC tunnel & still get the error. I'm running 8.2(1) code. The remote side is running 8.4(4)1 The remote side can reach *in* toward me thru the tunnel, but I can't reach out:

SRC: 192.168.4.160

DST: 192.168.27.11............works fine

SRC: 192.168.27.11

DST: 192.168.4.160............denied.

BTW -- found out day-before-yesterday, that this ASA has no paid SmartNet contract. Yay. Grassroots support for me...

abatson · ‎12-19-2013

Here's the packet-tracer debug output. It indicates an ACL-drop, but how/why/where?

DASS-VPN# $ tcp 192.168.27.11 1024 192.168.4.160 ftp detail

DASS-VPN# packet-tracer input EXT-FTP tcp 192.168.27.11 1024 192.168.4.160 ftp$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc97893c0, priority=1, domain=permit, deny=false

hits=1748609, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group EXT-FTP-in in interface EXT-FTP

access-list EXT-FTP-in extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp

access-list EXT-FTP-in remark allows traffic out of EXT-FTP network

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca374b68, priority=12, domain=permit, deny=false

hits=292, user_data=0xc78e3af0, cs_id=0x0, flags=0x0, protocol=6

src ip=192.168.27.11, mask=255.255.255.255, port=0

dst ip=192.168.4.160, mask=255.255.255.255, port=21, dscp=0x0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc978bbd0, priority=0, domain=permit-ip-option, deny=true

hits=61409, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca101648, priority=70, domain=inspect-ftp, deny=false

hits=623, user_data=0xca1001d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip EXT-FTP 192.168.27.0 255.255.255.0 outside host 192.168.4.160

NAT exempt

translate_hits = 589, untranslate_hits = 5

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca355a68, priority=6, domain=nat-exempt, deny=false

hits=589, user_data=0xca3559a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=192.168.27.0, mask=255.255.255.0, port=0

dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

match ip EXT-FTP host 192.168.27.11 outside any

static translation to 123.123.188.40

translate_hits = 4341, untranslate_hits = 101896

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca373470, priority=5, domain=nat, deny=false

hits=6664, user_data=0xca34e4e0, cs_id=0x0, flags=0x0, protocol=0

src ip=192.168.27.11, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (EXT-FTP,outside) 123.123.188.40 192.168.27.11 netmask 255.255.255.255

match ip EXT-FTP host 192.168.27.11 outside any

static translation to 123.123.188.40

translate_hits = 4341, untranslate_hits = 101896

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca107068, priority=5, domain=host, deny=false

hits=63395, user_data=0xca34e4e0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.27.11, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca345cf0, priority=0, domain=host-limit, deny=false

hits=6824, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xca2a0f88, priority=70, domain=encrypt, deny=false

hits=2, user_data=0xb27af5c, cs_id=0xc9677ef0, reverse, flags=0x0, protocol=0

src ip=192.168.27.11, mask=255.255.255.255, port=0

dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0

Phase: 12

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xc96b8a10, priority=69, domain=ipsec-user, deny=true

hits=2, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=192.168.27.11, mask=255.255.255.255, port=0

dst ip=192.168.4.160, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: EXT-FTP

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jon Marshall · ‎12-19-2013

Can you post config for the remote side ?

Jon

abatson · ‎12-19-2013

The remote-side config is controled by another company, and they won't be sharing any of their config unfortunatly, BUT:

I removed the line indicated below, and it works now. –I put it back in, and it breaks….. I got desperate, and put the flow into “Remote_vpn_filter” in both directions, in case I had it wrong.. and that still didn’t fix it. I don’t know WHY this fixed it but it did….

group-policy RemotePolicy internal

group-policy RemotePolicy attributes

vpn-filter value Remote_vpn_filter <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

vpn-tunnel-protocol IPSec

ACL is:

access-list Remote_vpn_filter line 1 extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp (hitcnt=1) 0x5b469ada

access-list Remote_vpn_filter line 2 extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp (hitcnt=5) 0xcb381146

access-list Remote_vpn_filter line 3 extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp (hitcnt=0) 0xbf735660

access-list usmcc_vpn_filter line 4 extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp (hitcnt=0) 0x14cdd13d

Jon Marshall · ‎12-19-2013

access-list Remote_vpn_filter line 1 extended permit tcp host 192.168.4.160 host 192.168.28.74 eq ftp (hitcnt=1) 0x5b469ada

access-list Remote_vpn_filter line 2 extended permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp (hitcnt=5) 0xcb381146

access-list Remote_vpn_filter line 3 extended permit tcp host 192.168.28.74 host 192.168.4.160 eq ftp (hitcnt=0) 0xbf735660

access-list usmcc_vpn_filter line 4 extended permit tcp host 192.168.27.11 host 192.168.4.160 eq ftp (hitcnt=0) 0x14cdd13d

Is that lst line a typo ie. it references a completely different acl.

Jon

abatson · ‎12-19-2013

Oops.. you caught me... 'usmcc_vpn_filter' is the actual un-cleansed name. For sake of consistancy, all the ACL lines in the above comment should read, "Remote_vpn_filter".

Jon Marshall · ‎12-19-2013

edited

Jon Marshall · ‎12-19-2013

Have a read of this thread -

https://supportforums.cisco.com/thread/2074626

It seems as though you should be able to use a vpn filter at just one end with the correct config ie.

access-list remote permit tcp host 192.168.4.160 host 192.168.27.11 eq ftp

access-list remote permit tcp host 192.168.4.160 eq ftp host 192.168.27.11

but that thread seems to be suggesting you need to configure both peers with equivalent vpn filters. So the above doesn't work.

Interestingly the vpn filter was originally only used for remote access vpns. So they may not be the best solution ie. see the last post in the thread above.

Jon