Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5366
Views
10
Helpful
18
Replies

bidirectional vpn access

suthomas1
Level 6
Level 6

‎12-13-2010 05:12 AM

An ipsec vpn which goes as below in flow,

  Site A  (192.168.112.5) -> Firewall1 -> Firewall2 ->Internet -> Site B (172.16.15.81)

acl on site A firewall 2 where ipsec is defined: access-list 113 extended permit ip host 192.168.112.5 172.16.15.81 255.255.255.224

Site A is using asa & Site B is using  2811.

vpn is running good. from Site B terminal (172.16.15.81) , they can reach Site A terminal(192.168.112.5) on socket 1494. problem is faced when

Site A does the same thing on 1494 to SiteB, it cant connect to that socket on siteB terminal.

Required result should have both Site A & Site B initate & succeed in connecting to each other server on 1494, bidirectionally.

Routing looks fine both ends. access groups are put on firewall1 & 2 , for these needed things.hits can be viewed on these.

Site B server , socket looks good as it is reachable when locally test from site B.

1. capture on firewall1 shows site A sending syn to this site B terminal.

  1:20:52:02.1403996876 112.1Q vlan#112 P0 192.168.112.5.3817 > 172.16.15.81.1494: S 3739309736:3739309736(0) win 65535 <mss 1460,nop,nop,sackOK>

   2: 20:52:03.1403997316 112.1Q vlan#112 P0 192.168.112.5.3817 > 172.16.15.81.1494: S 3739309736:3739309736(0) win 65535 <mss 1460,nop,nop,sackOK>

   3: 20:52:03.1403997816 112.1Q vlan#112 P0 192.168.112.5.3817 > 172.16.15.81.1494: S 3739309736:3739309736(0) win 65535 <mss 1460,nop,nop,sackOK>

2. Capture on firewall 2 when this is tried.

   1: 20:57:17.571381 192.168.112.5.3873 > 172.16.15.81.1494: S 1032152616:1032152616(0) win 65535 <mss 1380,nop,nop,sackOK>

   2: 20:57:18.644238 192.168.112.5.3873 > 172.16.15.81.1494: S 1032152616:1032152616(0) win 65535 <mss 1380,nop,nop,sackOK>

On router at site B, remote person says they have done necessary for this to work. i am awaiting part of the config from them.

Meanwhile, with above detail, please help me if there is something wrong or if some more checks need to be done.do let me know if more output is required.

TIA.

Labels:
0 Helpful
18 Replies 18

suthomas1
Level 6
Level 6
In response to praprama

‎12-17-2010 10:33 PM

My apologies if it didnt help you. only ip address were masked & some anyconnect vpn portions were left out.

Interestingly, now i see a different capture result for this traffic on fwl2( ipsec firewall);

   1: 14:11:34.274659 192.168.112.5.3310 > 172.16.15.81.1494: S 3351596950:3351596950(0) win 65535

   2: 14:11:34.274720 172.16.15.81.1494 > 192.168.112.5.3310: R 0:0(0) ack 3351596951 win 65535

   3: 14:11:35.190358 192.168.112.5.3310 > 172.16.15.81.1494: S 3351596950:3351596950(0) win 65535

   4: 14:11:35.190435 172.16.15.81.1494 > 192.168.112.5.3310: R 0:0(0) ack 3351596951 win 65535

previously i saw only Syn going past, does reset from destination mean 1494 itself is having a problem or is it a reset by remote device.

fwl 2 doesnot give any logs during this try, however fwl1 gives similar logs as detailed in earlier post, built/teardown & deny tcp message.

please suggest what more output is required from the configuration, else i can pm the entire config.

Appreciate your help.thanks

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to suthomas1

‎12-17-2010 10:48 PM

Hi,

Hmmm.. That port is certainly blocked somewhere. Now we can not confirm if the reset is coming from the remote host or from this ASA itself or from somewhere else. The ASA itself is capable of sending out resets if it is dropped by it if you have service reset inbound on the ASA. Please post the output of show run all service from the FW2.

Also, when you apply the captures, please apply it with the trace keyword as below:

capture capin access-list ACL trace interface local

Then after generating the traffic, get the output of show cap capin trace.

Cheers,

Prapanch

0 Helpful

suthomas1
Level 6
Level 6
In response to praprama

‎12-17-2010 11:10 PM

thanks Prapanch.

Here are the output,

sh run all service

service password-recovery

4 packets captured

   1: 14:59:54.892867 192.168.112.5.3739 > 172.16.15.81.1494: S 2049114731:2049114731(0) win 65535

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.15.80   255.255.255.240 outside

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

   2: 14:59:54.892989 172.16.15.81.1494 > 192.168.112.5.3739: R 0:0(0) ack 2049114732 win 65535

   3: 14:59:55.844789 192.168.112.5.3739 > 172.16.15.81.1494: S 2049114731:2049114731(0) win 65535

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:     

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.15.80   255.255.255.240 outside

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

   4: 14:59:55.844896 172.16.15.81.1494 > 192.168.112.5.3739: R 0:0(0) ack 2049114732 win 65535

4 packets shown

0 Helpful

suthomas1
Level 6
Level 6
In response to suthomas1

‎12-20-2010 02:14 AM

Hi,

as Prapanch had pointed earlier, no hits were seen on the acl. i was told there was a sort of dynamic access policy in the firewall, which has same acl as that defined in the running configurations for inside & outside interfaces & also the ipsec acl. in addition there are some additional acl's seen which are no longer used.

On the dap acl, hits are increasing for the vpn traffics. i will post the same after i get it from the client.

Any gurus help me to understand what is the dap and how it came in place since it was not configured manually.

& will it affect the traffic , also how to remove some of DAP lines. I get "dap name" in use error when i try to remove it.

Appreciate all of help.thanks,

0 Helpful
Customers Also Viewed These Support Documents