12-18-2010 05:09 AM
Can any one help me in finding a network monitoring tool through which i
can check the source and destination ports(tcp or udp),ip address,packets
permited and denyed from asa5510 or any firewall.specially i want to monitor
packets routing which are deny and which are permited from firewall.
any help would be appreciated.
Thankx alot in advance.
Solved! Go to Solution.
12-22-2010 07:21 AM
i saw the captures as y ucan see the the firewall is forwarding all ip proto 50 packets for this vpn outside
i would suggest when this stops working you collect the captures again and verify on firewall if you see ip proto 50 packets betwen the vpn peers
the traffic is just some esp packets for this asa src and dst of actual packets do not matter, so when the issue happens see if you can ping the other end vpn gateway, if you are able to do that then there is no prob with asa you will probably have to conatct the sonicwall or checkpoint support
12-22-2010 01:26 PM
when sms stops can u post the traces of asa we can easily find out the problem from this?
12-18-2010 08:30 PM
i think for your requirement a server which will collect the logs should be good enough
for logging you have kiwi server
or you can go for snmp polling and again you have a server from orion
but there are other which you will get it for free too, so i think all you need to do is googling
here are some links which will help you
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml
12-19-2010 01:24 PM
thankx for u r reply.
I wll check the links u posted but i want to tell what exactly problem is...
In my company many microsoft dotnet applicaions are running.We
provide sms service on all tv channels(national and international) by using some
Client vpns and only one Site to site vpn. All the traffic is passing through
ASA5510.We have problem with site to site vpn becoz the sms coming through
site to site vpn stops(incoming and outgoing),vpn is up and vpn is in between sonic wall(local site)
and check point(remote site),if i put the command on ASA5510
access-list 111 extended permit ip any any
then sms starts working fine but this is not the solution becoz its allowing any IP .
I dont understand which perticular ip or port i have to allow through ASA .
I tried by removing the ip any any command and putting some ports and ips
but problem is not solved.
kindly help this is very urgent issue.
If any one want config of ASA i wll post it.
12-19-2010 05:23 PM
can you please brief us on how exactly the asa is coming in picture, bcoz you said the tunnle is between sonicwall and
checkpoint.
so if it is only the vpn traffic that you want to allow on the asa then use the access-list
permit esp any any -------> now this is assuming that asa is in between sonicwall and checkpoint
if asa is anywhere else you can just use the access-list defining the private networks
I might not have understood your requirement, so please if this is not what you are looking for then please elaborate on the topology and networks
12-19-2010 07:31 PM
Thankx for u r reply.
My network is like
Sonicwall----------Asa5510--------ISP----------------Checkpoint
((local)my company network) Remote network.
Site to Site VPN Tunnel is in between Sonicwall and checkpoint
passing through ASA5510.
Site to Site VPN Tunnel line is up but ASA is blocking only the sms of
Site to Site VPN(between Sonicwall and Checkpoint ).
I also tried by using the command
access-list xx extended permit ip 192.168.12.0 255.255.255.0 72.231.238.194 255.255.255.224
tunnel traffic is 192.16812.0---------------------72.231.231.194
access-list xx permit esp any any
but problem is not solved.
12-19-2010 07:51 PM
correct me if i am wrong,
from what i understand your asa should see only encrypted packets between the soincwall and checkpoint, so it really does not matter what the traffic is because it will be encrypted.
so may be you are not encrypting the sms traffic
also where exactly did you apply the permit ip any any acl which allowed the sms, also where have you applied the esp any any
12-19-2010 08:31 PM
Encrypted packets between the soincwall and checkpoint is only the sms traffic
coming from checkpoint to sonicwall.
sh run
ASA5510(config)# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ASA5510
names
!
interface Ethernet0/0
speed 10
nameif OUTSIDE
security-level 0
ip address 213.x.x.154 255.255.255.252
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.10.12 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq 1433
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq 5632
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq pcanywhere-data
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq www
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq 8080
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq telnet
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 eq ssh
access-list 104 extended permit tcp any 213.x..x.96 255.255.255.240 range ftp-data ftp
access-list 104 extended permit ip 192.168.12.0 255.255.255.0 72.231.238.194 255.255.255.224 //vpn tunnel traffic
access-list 104 extended permit ip any any //----ip any any
access-list 104 extended permit esp any any //---esp any any
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 213.x..x..87 192.168.10.1 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..88 192.168.10.2 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..89 192.168.10.3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..90 192.168.10.5 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..91 192.168.10.6 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 213.x..x..92 192.168.10.7 netmask 255.255.255.255
note:(sonic wall ip add 192.168.10.7 natted with 213.x.x.92)
static (INSIDE,OUTSIDE) 213.x..x..93 192.168.10.8 netmask 255.255.255.255
access-group 104 in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 213.x.x.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.10.0 255.255.255.0 INSIDE
telnet timeout 5
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c6372164a475c9d0aca756edf9bdb215
: end
12-19-2010 08:40 PM
oh your firewall is natting here, so may be the tunnel is negotiated on 4500
permit udp 4500 port in the access-list
udp any any will do for testing
12-20-2010 07:26 AM
Sorry for the delay reply.
when i put commands
access-list 104 extended permit udp any 213.x..x.96 255.255.255.240 eq 4500
access-lists 104 permit udp any any
for some time like 30 r 40 min its working fine receiving and sending sms.
after that same problem (sms stops).
12-20-2010 07:39 AM
hmmmmm that is weird
can you apply some captures on the inside and outside interface of asa and confirm that we are seeing the packets come to asa
also do you see any log entries which say that packtes are being dropped on asa
this link will be helpful to collect the same
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s1
12-20-2010 02:51 PM
ASA5510# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 11 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
%ASA-4-106023: Deny protocol 50 src OUTSIDE:62.x.x.6 dst INSIDE:213.x.x.104
by access-group "104" [0x0, 0x0]
UDP request discarded from 192.168.10.100/137 to
INSIDE:192.168.10.255/137
%ASA-4-106023: Deny protocol 50 src OUTSIDE:62.x.x.6dst INSIDE:E:213.x.x.104
by access-group "104" [0x0, 0x0]
%ASA-6-302014: Teardown TCP connection 1028 for
OUTSIDE:195.229.249.53/27752 to INSIDE:192.168.10.11/1531
duration 0:00:30 bytes 0 SYN Timeout
Note: ASA blocking the protocol 50 but when i allowed it no difference
problem is as it is. 62.x.x.6 -----remote peer and 213.x.x.204 is local peer.
12-20-2010 08:53 PM
can you please use the link that i had sent in my last post and apply captures on both inside and outside and see if
12-21-2010 04:18 PM
Hi jathaval,
Thankx alot for u r help.
When i put the following commands
access-listes 104 extended permit tcp any 213.x.x.x 255.255.255.x eq 50
access-list 104 extended permit udp any 213.x.x.x 255.255.255.x eq 50
access-list 104 extended permit esp any any
access-list 104 extended permit gre any any
no access-lists 104 extended permit ip any any
Now every thing is fine.sms are coming.
but i think no need to allow esp,gre,ah and port50 so many protocol.
anyway i just kept on monitoring for some time after that i wll remove unwanted ports
protocol.
Pls find attahed file of traces inside interface and outside interface of ASA.
vpn local peer = 213.32.222.44
vpn remote = 62.x.x.6.
172.16.10.7 = sonic wall outside interface nated with 213.32.222.44
Message was edited by: munnawer khan
12-21-2010 05:01 PM
the captures seem to suggest that traffic is flowing only on ip prot-50 which is the espa
i still think it is an issue with vpn and may be just a coincidence that it is working fine when you allow all those ports
Also on which interface were these applied, were they applied on inisde or outside of asa?
12-22-2010 02:04 AM
Pls check the last post u wll find inside,outside interface traces
in a attahed file.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide