5505: IPsec for 0.0.0.0/0 port 80 breaks NAT for non-port80 ?

PaulWouters · ‎11-11-2010

Hi,

I have setup a Cisco 5505 using ADSM with an IPsec VPN for lan to 0/0 port 80 (and 443). The idea is the forward port 80/443 for processing elsewhere, and to NAT everything else like normal.

When I configure the vpn, it correctly triggers for port 80/443 traffic. But all traffic for other ports somehow is now also not getting NAT'ed anymore, and leaks out the public interface with the lan's source IP. I am not sure how to resolve this. I've attached the config below. LAN is 192.168.77.0/24, everything in this test setup is wide open. Config not manually modified from ADSM generated config.

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.77.1 255.255.255.0
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 76.10.157.76 255.255.255.240
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service http tcp
description http
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
group-object http
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
group-object http
port-object eq https
object-group service DM_INLINE_TCP_3 tcp

group-object http
port-object eq https
access-list inside_access_in remark allow all
access-list inside_access_in extended permit ip any any
access-list outside_access_in remark all
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 any
access-list outside_cryptomap extended permit tcp 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3
pager lines 24
logging enable
logging asdm informational
logging host outside 76.10.157.69
logging debug-trace
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.10.157.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.77.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group5

crypto map outside_map1 1 set peer 76.10.157.74
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 3
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.77.5-192.168.77.36 inside
dhcpd dns 193.110.157.136 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group 76.10.157.74 type ipsec-l2l
tunnel-group 76.10.157.74 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:def1e50322ac73a7f0ecd342d56b3784
: end
no asdm history enable

Federico Coto Fajardo · ‎11-11-2010

Hi Paul,

The interesting traffic is defined for only TCP ports 80 and 443.

You should define the interesting traffic as an IP ACL (not TCP)

And if you want to filter traffic through the tunnel you can create filters.

Federico.

PaulWouters · ‎11-11-2010

What I did was use the ADSM and set the "service" to "http,https". This defines the traffic selector for IPsec. The ADSM then created all the rules. I am not sure what you mean with using ACL's. (I'm not versed in cisco much, hence my use of the ADSM)

Federico Coto Fajardo · ‎11-11-2010

Exactly Paul,

But what I mean is that when you define traffic for VPN tunnel, you should define the traffic as IP (instead of just choosing the TCP ports).

So, back on that line instead of choosing http/https, chose IP as the protocol (without ports).

This will allow all traffic between the IPs to flow through the tunnel and not just port 80 and 443.

Federico.

PaulWouters · ‎11-11-2010

But that is not what I need. I need to send ONLY all traffic to port 80+443 over the IPsec tunnel. Everything else should NOT go via the IPsec tunnel and go out "normally", which means it should get NAT'ed to the router's outside IP and send out without encryption.

manish arora · ‎11-11-2010

I think I understood what you are saying here , so try this :-

no access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit tcp 192.168.77.0 255.255.255.0 any object-group DM_INLINE_TCP_3

Manish

Federico Coto Fajardo · ‎11-11-2010

Hey Paul,

I was not understanding your requirement correctly.

I think Manish is giving you the correct answer :-)

Federico.

PaulWouters · ‎11-12-2010

Though that seems to fix NAT for non port 80/443, it now no longer initiates IPsec tunnels for port 80/443 traffic, and the client behind the cisco gets an immediate "connection refused" for port 80/443 attempts.

manish arora · ‎11-12-2010

Paul,

Check this discussion out and the correct answer on this is what you need to do ones the ipsec traffic reaches the remote side.

https://supportforums.cisco.com/message/3225170#3225170

Manish