Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
10
Replies

ASA VPN blocked by firewall access-list

muhtashim.ayub
Level 1
Level 1

‎04-13-2015 04:12 AM

I have built a S2S VPN between a Cisco ASA 5525X (on latest firmware 9.4.1) to a Checkpoint managed by a partner. I can ping across the VPN sourcing from the correct IP on my side to an IP on their side in the encryption domain, so the VPN does come up.

The problem I am experiencing is that when I try to reach the remote end on different ports the traffic is blocked by the firewall access-list.

There is no vpn-filter applied and VPNs are set so that they should bypass access-lists (sysopt connection permit-vpn) so I don't understand why the traffic blocked.

RP/0/RSP0/CPU0:-ASR9010-1#ping vrf XXXX 10.20.10.45 source Lo10

Mon Apr 13 11:42:02.310 BST

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.20.10.45, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 14/14/16 ms

 

RP/0/RSP0/CPU0:CG-THN-ASR9010-1#telnet vrf XXXX 10.20.10.45 source Lo10

Trying 10.20.10.45...

 Use specified source interface(Loopback10).

 Use 172.16.10.1 as local address.

telnet: Unable to connect to remote host: Connection refused

 

RP/0/RSP0/CPU0:-ASR9010-1#telnet  vrf XXXX 10.20.10.45 source Lo10 80

Trying 10.20.10.45...

 Use specified source interface(Loopback10).

 Use 172.16.10.1 as local address.

telnet: Unable to connect to remote host: Connection refused

 

logging shows that that acces-list is blocking the traffic.

 

When I add a rule to allow the traffic through on the main Firewall rules it works. (times out because it's just going to a loopback at this stage)

RP/0/RSP0/CPU0:CG-THN-ASR9010-1#telnet  vrf XXXX 10.20.10.45 source Lo10 80

Trying 10.20.10.45...

 Use specified source interface(Loopback10).

 Use 172.16.10.1 as local address.

telnet: Unable to connect to remote host: Connection timed out

 

Is there something obvious I am missing? I don't understand why the access-list is blocking the traffic. I'm wondering whether there is a bug or something. The only difference between this and other VPNs I have configure in the past is that this one is using PFS but I don't see why that would cause this problem.

Just to clarify - this is on production equipment. The ASA is for a client migrating from an old 5510 to a new 5525-X and the VPN is a test VPN with loopbacks created on both sides to ensure that the VPN works (after some problems on a previous migration window.).

So that is why I am testing using ping and telnet to different ports.

Labels:
0 Helpful
10 Replies 10

muhtashim.ayub
Level 1
Level 1

‎04-13-2015 04:25 AM

Just to clarify - this is on production equipment. The ASA is for a client migrating from an old 5510 and the VPN is a test VPN with loopbacks created on both sides to ensure that the VPN works (after some problems on a previous migration window.).

So that is why I am testing using ping and telnet to different ports.

0 Helpful

rizwanr74
Level 7
Level 7

‎04-13-2015 08:45 AM

Hello Ayub,

 

Please post your config of the vpn tunnel for easier trouble shooting purpose.

thanks

 

0 Helpful

muhtashim.ayub
Level 1
Level 1
In response to rizwanr74

‎04-13-2015 09:40 AM

Hi,

Config is below:

access-list Outside_cryptomap_2 extended permit ip object Test_172.16.10.0 object TEST_10.20.10.32_27

crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer X.X.X.X
crypto map Outside_map 3 set ikev1 transform-set ESP-AES-256-SHA

group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 vpn-tunnel-protocol ikev1
 
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
 default-group-policy GroupPolicy_VPN
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****

0 Helpful

rizwanr74
Level 7
Level 7
In response to muhtashim.ayub

‎04-13-2015 10:22 AM

You have nat exemption is configured as well?

 

0 Helpful

muhtashim.ayub
Level 1
Level 1
In response to rizwanr74

‎04-14-2015 12:59 AM

Yes:

 

nat (Inside,Outside) source static Test_172.16.10.0 Test_172.16.10.0 destination static TEST_10.20.10.32_27 TEST_10.20.10.32_27 no-proxy-arp route-lookup

0 Helpful

rizwanr74
Level 7
Level 7
In response to muhtashim.ayub

‎04-14-2015 08:32 AM

Can you also make sure, that you have a static route is in placed on the ASA itself as shown below and I assume that your internet facing interface is named "outside".

 

route outside 10.20.10.32 255.255.255.224 xxx.xxx.xxx.xxx

 

xxx.xxx.xxx.xxx = default-gateway address on the ASA.

 

Also make sure you have a static route in place to push all tunnel bound traffic to ASA inside address from your internal switch.

 

thanks

 

0 Helpful

muhtashim.ayub
Level 1
Level 1
In response to rizwanr74

‎04-14-2015 08:52 AM

Hi,

 

yes that is all in place. As I stated in my original post I can ping across the VPN but it's not letting other traffic through. That's the problem I am experiencing.

0 Helpful

rizwanr74
Level 7
Level 7
In response to muhtashim.ayub

‎04-14-2015 12:00 PM

"it's not letting other traffic through."

What other traffic, what do you mean?

What are permitted in the tunnel will traverse into the tunnel, assuming both tunnel end points permit traffic in exact match, i.e. encryption domain.

 

 

0 Helpful

muhtashim.ayub
Level 1
Level 1
In response to rizwanr74

‎04-14-2015 12:18 PM

Sorry but did you read all of my original post?

0 Helpful

rizwanr74
Level 7
Level 7
In response to muhtashim.ayub

‎04-15-2015 07:56 AM

Try this.

 

telnet 10.20.10.45 /source-interface vrf XXXX Lo10 80

 

0 Helpful
Customers Also Viewed These Support Documents