Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
3
Replies

Issue with Crypto Access-List

amit.rane
Level 1
Level 1

‎05-16-2012 12:08 AM

Hello All,

I am facing weired problem with one of our VPN tunnel. We have around 10 tunnels configured in our ASA 5520. Specific hosts are allowed in interesting traffic from both the end and are able to ping each other. But unable to telnet on some specific ports TCP/3389, TCP/53, TCP/389, TCP/445 etc. I have tried by giving IP access to crypto access-list but had no luck.

Issue got resolved after applying normal port based access-list on inside interface, which means access is working through normal access-list instead of crypto access-list. Wherein for other tunnels we have not applied any access-list on inside interface but still they are working fine.

What could be the issue? Are these ports require special access? Our OS version is 8.3(2) in which we do not required NAT 0 command for VPN tunnel.


Quick turnaround will be much appriciated.

Thanks in advance.

Amit.

Labels:
0 Helpful
3 Replies 3

Shone_Aleksey
Level 1
Level 1

‎05-16-2012 02:42 AM

Hello, Amit.

Seems need add inspection trafic for

TCP/3389, TCP/53, TCP/389, TCP/445.

ASA(config)#policy-map global_policy

ASA(config-pmap)#class inspection_default

ASA(config-pmap-c)#inspect dns

ASA(config-pmap-c)#inspect ils

...

THT

0 Helpful

amit.rane
Level 1
Level 1
In response to Shone_Aleksey

‎05-16-2012 08:25 PM

Shone,

Thanks for your reply. I have tried by enabling ils (tcp/389) port but still unable to telnet after removing access-list on inside interface. Also is there any way i can modify default globlal_policy?

Regards,

Amit.

0 Helpful

Shone_Aleksey
Level 1
Level 1
In response to amit.rane

‎05-17-2012 01:14 AM

Hi, Amit.

For inspecting your trafic, in global_policy follow this template:

class-map MYPORT

     match port tcp eq

policy-map global_policy

     class MYPORT

     inspect MYPORT

p.s.

policy-map global_policy must already exist and "service-policy global_policy global" command present in config.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents